[Vpn-devel] Connecting to CheckPoint VPN's

[Volkan Kurt]

Hello all,

First, thank you for this great software. It's one of a kind :)

Now my problem. I think you are familiar with the problems about checkpoint. I am trying to connect to checkpoint vpn's and I think I have managed to go as far as phase 2. Below are the options I used to accomplish this. By the way, I have found all of these by trial and error.

- Auto configuration: Disabled
- IKE fragmentation: Disable
- Name resolution: manual
- authentication: hybrid rsa + xauth
- local identity : UFQDN with "cn=<username>"
- remote identity: ip address (use discovered)
- credentials: server ca certificate in pem format
- phase 1: main-group 2-aes-256-md5 (enabele checkpoint compatible)
- phase 2: esp-aes-256-md5-group 2 (compression disabled)
- policy: manual

According to debug logs, this establishes the Phase 2 SA.  However, one last thing can't be accomplished which keeps me from getting into the vpn. Let me tell you about that:

- Checkpoint securemote registers itself as a network packet filter with an ip address of 0.0.0.0.
- The checkpoint dhcp server leases the ip address 0.0.0.0 as well whereas the original ip address of the client in the VPN is something else. (192.168.x.x)
- When Shrew client sees the configuration request for 0.0.0.0, it fails to configure the interface obviously telling that it is an erroneous address.

So I tried changing the address method, giving an IP address by hand and whatever I could think of but to no avail.

If, for example, I could specify an existing tap device it would most probably solve the issue but that is not an option.

Do you have any suggestions, or could you take this as a feature request? :)

Best,
Volkan KURT



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20090302/7bfa732d/attachment-0002.html>