
OpenSClient HOWTO

(c) 2005 by Mariusz Woloszyn

   This document describes how to connect to [18]CheckPoint VPN using Hybrid
   Authentication i.e. the same way SecureClient does.
    1. Download [19]OpenSwan
    2. Download the patch [20]openswan-2.4.0-SecureClient.diff section and
       apply it
    3. Compile and install software following [21]OpenSwan documentation
    4. Obtain firewall certificate using following procedure:

     XXX: following has been tested for VPN-1 on UNIX only, please report if
     it's different for other platforms
         1. Log to your firewall console and export certificate:
fwm exportcert -obj FW-OBJECT-NAME -cert default_cert -file cacert.pkcs7 -pem -
withroot
            where FW-OBJECT-NAME is the dashboard firewall object name and
            default_cert  if  either  firewall  object name or literally:
            default_cert or defaultCert depending on your configuration. If you
            have problem finding its name see into $FWDIR/conf/objects_5_0.C
            for section:
           :certificates (
                 : (zorro
                       :AdminInfo (
(...)
                        )
                 )
           )
            where zorro is the name of the certificate.
         2. Copy the file cacert.pkcs7 to your linux box and convert it to PEM:
openssl pkcs7 -in cacert.pkcs7 -print_certs > certs.pem
            Yes, openssl is required.
    5. Once you have firewall certificates in PEM format pick out the RSA key:
         1. Edit the resulting certs.pem file, there should be two certificates
            in it. Save them to separate file, the first one (root CA) to
            /etc/ipsec.d/cacerts/rootca.pem and the second one (firewall cert)
            under firewall.pem in your working directory. (I'm not absolutely
            sure that the first cert is CA cert always, so you may verify the
            header, which for root CA should look like this:
subject=/O=checkpoint.intranet.example.com..p9bkhs
            and for firewall one like this:
subject=/O=checkpoint.intranet.example.com..p9bkhs/CN=rhl7 VPN Certificate
            Note the CN= part)
         2. Now  go  to  your  openswan  source  directory then follow to
            debian/fswcert and type:
make
make install
            .
         3. Construct the remote rightrsasigkey part for ipsec.conf picking the
            key from firewall.pem certificate file:
ipsec fswcert --cert --right firewall.pem
            Yes, rightrsasigkey is our firewall RSA key :)
    6. Construct ipsec.conf file using acquired rightrsasigkey, be sure to use
       rightid=@! not the output of above command. The sample ipsec.conf is
       here:
conn sc
        leftid=@!
        left=1.1.1.MyIP(it might be %defaultroute too ;)
        leftxauthclient=yes
        right=50.50.50.CheckPoint-IP
        rightsubnet=192.168.0.0/16
        rightrsasigkey=0x2E6A0CC18077BEB56462C62DB4BC9C... <= we got it earlier
        rightxauthserver=yes
        ikelifetime=8h
        rekey=no
        cpsc=yes

       Check twice for errors!!!
    7. Now follow usual procedure to start openswan VPN.

   Please note, that there are certain things that don't work!:
    1. There is is a timing issue. If your CP side requests reauthentication it
       doesn't work (yet?). You have to shut down the tunnel and brig it up
       again   reauthenticating   (it's   specially   true  for  SecureID
       authentication). We encourage you to set rekey=no and ikelifetime=8h so
       the Linux side does not requests for rekeying.
    2. CP  Office  Mode is not supported. That would require some serious
       OpenSwan modifications. If you figure out how to deal with it send us a
       patch :)

   This  page last modified Friday 30 September, 2005 Copyright 2003-2005
   [22]Mariusz Woloszyn

References

   Visible links
  18. http://www.checkpoint.com/
  19. http://www.openswan.org/
  20. http://emsi.it.pl/auto/openswan-2.4.0-SecureClient.diff
  21. http://www.openswan.org/
  22. http://emsi.it.pl/auto/

