[vpn-help] CheckPoint VPN server with mutual RSA
Carmelo Iannello
c.iannello at codices.com
Thu Apr 29 09:00:10 CDT 2010
We now set a default local identity type
value of address for PSK authentication modes and asn1dn for RSA modes
Carmelo Iannello ha scritto:
> Hi everybody.
> I've some problem in configuring a connection to a CheckPoint VPN server.
> It works perfectly for a user/password authentication scenario (Hybrid
> RSA + Xauth), but when it comes to pkcs12 authentication something goes
> wrong.
>
> On Windows with the Checkpoint SecuRemote client I configured the
> gateway, put in the p12 certificate and it just works.
> On Linux with Shrew Soft ike + ikea I followed this HOWTO:
>
> http://www.shrew.net/support/wiki/HowtoCheckpoint
>
>
> setting:
> - "Mutual RSA" as the Authentication Method
> - Local identity: User FQDN with a blank string
> - Remote identity: "IP Address" and "Use discovered remote host address"
> (any other combination of local and remote identity gives: INVALID-ID-INFORMATION)
>
Ok, those settings were wrong.
Now it works fine with:
Local identity: ASN.1 (with "Use the subject in the client cert" checked)
Remote identity: Any
Then I went to the changelog of version 2.1.6 and I found this note by mgrooms:
"We now set a default local identity type value of address for PSK authentication modes and asn1dn for RSA modes"
I should have read that before... :/
Anyway, there's a bug in ikea in 2.1.5, I can't compile 2.1.6 right now and I can't tell whether if has been fixed from the changelog.
If I choose ASN.1 in Local Identity, save, reopen the configuration the reloaded value is wrong, if I save again the wrong one is saved.
Also: if I choose UFQDN and put in a value like "CN=xxx,OU=yy,O=zzz", save, reopen the value is truncated
(and maybe this is not the right place for a bug report. sorry, if so)
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carmelo Iannello
Codices s.r.l.
Via G. Malasoma 24
56121 Pisa, loc. Ospedaletto
Tel: +39 050-3163667 (diretto)
Tel: +39 050-3160136
Fax: +39 050-9655150
http://www.codices.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the vpn-help
mailing list