[Vpn-devel] Connecting to CheckPoint VPN's
Volkan Kurt
volwol at yahoo.com
Mon Mar 2 03:03:47 CST 2009
Hello all,
First, thank you for this great software. It's one of a kind :)
Now my problem. I think you are familiar with the problems about checkpoint. I am trying to connect to checkpoint vpn's and I think I have managed to go as far as phase 2. Below are the options I used to accomplish this. By the way, I have found all of these by trial and error.
- Auto configuration: Disabled
- IKE fragmentation: Disable
- Name resolution: manual
- authentication: hybrid rsa + xauth
- local identity : UFQDN with "cn=<username>"
- remote identity: ip address (use discovered)
- credentials: server ca certificate in pem format
- phase 1: main-group 2-aes-256-md5 (enabele checkpoint compatible)
- phase 2: esp-aes-256-md5-group 2 (compression disabled)
- policy: manual
According to debug logs, this establishes the Phase 2 SA. However, one last thing can't be accomplished which keeps me from getting into the vpn. Let me tell you about that:
- Checkpoint securemote registers itself as a network packet filter with an ip address of 0.0.0.0.
- The checkpoint dhcp server leases the ip address 0.0.0.0 as well whereas the original ip address of the client in the VPN is something else. (192.168.x.x)
- When Shrew client sees the configuration request for 0.0.0.0, it fails to configure the interface obviously telling that it is an erroneous address.
So I tried changing the address method, giving an IP address by hand and whatever I could think of but to no avail.
If, for example, I could specify an existing tap device it would most probably solve the issue but that is not an option.
Do you have any suggestions, or could you take this as a feature request? :)
Best,
Volkan KURT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20090302/7bfa732d/attachment-0002.html>
More information about the vpn-devel
mailing list