OpenSClient HOWTO
(c) 2005 by Mariusz Woloszyn
This document describes how to connect to CheckPoint VPN using Hybrid Authentication i.e. the same way SecureClient does.
- Download OpenSwan
- Download the patch openswan-2.4.0-SecureClient.diff section and apply it
- Compile and install software following OpenSwan documentation
- Obtain firewall certificate using following procedure:
XXX: following has been tested for VPN-1 on UNIX only, please report if it's different for other platforms
- Log to your firewall console and export certificate:
fwm exportcert -obj FW-OBJECT-NAME -cert default_cert -file cacert.pkcs7 -pem -withroot
where FW-OBJECT-NAME is the dashboard firewall object name and default_cert if either firewall object name or literally: default_cert or defaultCert depending on your configuration. If you have problem finding its name see into $FWDIR/conf/objects_5_0.C for section:
:certificates ( : (zorro :AdminInfo ( (...) ) ) )where zorro is the name of the certificate.
- Copy the file cacert.pkcs7 to your linux box and convert it to PEM:
openssl pkcs7 -in cacert.pkcs7 -print_certs > certs.pem
Yes, openssl is required.
- Log to your firewall console and export certificate:
- Once you have firewall certificates in PEM format pick out the RSA key:
- Edit the resulting certs.pem file, there should be two certificates in it. Save them to separate file, the first one (root CA) to /etc/ipsec.d/cacerts/rootca.pem and the second one (firewall cert) under firewall.pem in your working directory. (I'm not absolutely sure that the first cert is CA cert always, so you may verify the header, which for root CA should look like this:
subject=/O=checkpoint.intranet.example.com..p9bkhs
and for firewall one like this:
subject=/O=checkpoint.intranet.example.com..p9bkhs/CN=rhl7 VPN Certificate
Note the CN= part)
- Now go to your openswan source directory then follow to debian/fswcert and type:
make make install
.
- Construct the remote rightrsasigkey part for ipsec.conf picking the key from firewall.pem certificate file:
ipsec fswcert --cert --right firewall.pem
Yes, rightrsasigkey is our firewall RSA key :)
- Edit the resulting certs.pem file, there should be two certificates in it. Save them to separate file, the first one (root CA) to /etc/ipsec.d/cacerts/rootca.pem and the second one (firewall cert) under firewall.pem in your working directory. (I'm not absolutely sure that the first cert is CA cert always, so you may verify the header, which for root CA should look like this:
- Construct ipsec.conf file using acquired rightrsasigkey, be sure to use rightid=@! not the output of above command. The sample ipsec.conf is here:
conn sc leftid=@! left=1.1.1.MyIP(it might be %defaultroute too ;) leftxauthclient=yes right=50.50.50.CheckPoint-IP rightsubnet=192.168.0.0/16 rightrsasigkey=0x2E6A0CC18077BEB56462C62DB4BC9C... <= we got it earlier rightxauthserver=yes ikelifetime=8h rekey=no cpsc=yesCheck twice for errors!!!
- Now follow usual procedure to start openswan VPN.
Please note, that there are certain things that don't work!:
- There is is a timing issue. If your CP side requests reauthentication it doesn't work (yet?). You have to shut down the tunnel and brig it up again reauthenticating (it's specially true for SecureID authentication). We encourage you to set rekey=no and ikelifetime=8h so the Linux side does not requests for rekeying.
- CP Office Mode is not supported. That would require some serious OpenSwan modifications. If you figure out how to deal with it send us a patch :)