[vpn-help] Hints for CheckPoint VPN with Xauth

Carmelo Iannello c.iannello at codices.com
Mon Apr 26 12:09:37 CDT 2010


Hi everybody.
First of all I've got to thank anyone who's contributing either by
coding or by sharing his/her experience with the others.

I have a couple of hints, a script that I hope will help someone and a
request for a help, but I'll split them in two postings.

This is is the first part: how to configure an access to a CheckPoint
VPN gateway using user/password without having the CA server certificate.

I've successfully configured it on Debian/Linux mainly using the HOWTO:
http://www.shrew.net/support/wiki/HowtoCheckpoint

changing a couple of steps.

One little change was on the Authentication Tab/Local Identity Tab: the
one that works for me is "User Fully Qualified Domain Name" with the
corresponding UFQDN string left blank.

Everything seemed to go smooth until I got to the "and now click the
'Export CA Certificate' button" part, because I haven't access to the
server console,
and the person at the customer's site just refuses to do anything
outside their standard procedures.

So I couldn't obtain the CA certificate and I was stuck with Windows on
a virtual machine and the Checkpoint SecuRemote client.
The proprietary client downloads the CA certificate the first time using
a proprietary protocol, and
I realized that I already had the certificate in C:\<Program
Files>\CheckPoint\SecuRemote\database\userc.C ,
but I had no clue about the format until I read this page:

http://www.aelita.org/racoon/racoon-securemote-doc

and I followed the "X509 certificates configuration" instructions in
reverse order.
The steps are:

- get the hex string contained in the :cert (...) "tag" referring the
desired site.
- save it in a text file
- convert the hex-string file to its binary form (e.g. using: xxd -p -r
hex-cert.txt > cert.bin)
- byte-reverse the binary file (e.g. using
http://www.aelita.org/racoon/rev.c)
- convert it from DER to PEM format (e.g. using openssl x509 -inform DER
-in <infile> -outform PEM -out <outfile>)

I wrote a simple python script that does all of the above, you must have
python and openssl installed.
(I suppose I'll find out whether this ml accepts attachments when I hit
the Send button)

Maybe I'm wrong, but I think that the openssl transformation from DER to
PEM also answers to this note by the HOWTO's author: "The only method I
have discovered to convert these certificates successfully is rather
annoying. It involves importing it into the certificate storage of a
Microsoft Operating system and then exporting it in PEM format. [...] If
anyone has a better suggestion, please let me know".

If you have a pkcs12 certificate file you can convert it to PEM using:

openssl pkcs12 -in <infile>.p12 -out <outfile>.pem -clcerts -nokeys

I'm quite sure there's no news for most of you reading, but I
experienced big difficulties in collecting all the single bits of
information I've condensed here.
Hope this will help someone now or in the future.

Bye.
Carm

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carmelo Iannello  
Codices s.r.l.
Via G. Malasoma 24
56121 Pisa, loc. Ospedaletto
Tel: +39 050-3163667 (diretto)
Tel: +39 050-3160136
Fax: +39 050-9655150
http://www.codices.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: extract-ca.py
Type: text/x-python
Size: 2257 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100426/f41094dc/attachment-0001.py>


More information about the vpn-help mailing list