Checkpoint and Road-Warrior VPN

[<damiank () anobi-asp com>]

I have a Checkpoint 5.0 FW1 server on a static IP and a Netscreen 5 on a
dynamic IP.  With ISAKMP this should work since you can use a pre-shared
secret and Phase 1 Identification can occur using either the IP-Address,
Subnet Address, FQDN, or an email address:
ID_IPV4_ADDR , Value=1, Spec[RFC2407]
ID_FQDN, Value=2, Spec[RFC2407]
ID_USER_FQDN, Value=3, Spec[RFC2407]
ID_IPV4_ADDR_SUBNET, Value=4, Spec[RFC2407]

Since Phase 1 usually uses the IPV4_ADDR, we have to change this for dynamic
clients since the Checkpoint won't be able to identify the IP which the
Netscreen sends as it's identification string.

I came really close to completing this by using an email address.  I created
a user on the Checkpoint using an email address (ID_TYPE=3) and used the
same address on the Netscreen as it's local name.  Under user settings on
the Checkpoints User->Encryption tab, I enabled IKE encryption with a
password equal to the Pre-Shared-Secret.  At this point I tested it, with a
sniffer I could see that the ID was indeed being passed in Phase 1 to the
Checkpoint and instead of dropping the session, the Checkpoint was
responding with its Phase 1 ID.   In the Checkpoint Logs, it showed a
successful authentication had occured.  However, for some reason, on the
Checkpoint's User->Authentication  Tab, I can't just leave it as undefined
(The Checkpoint will drop all connections with this set), I even tried
setting up authentication on the Netscreen side with no success.  Does
anyone have any ideas on this?  Thanks.

Damian Kohlfeld
Anobi Technology Corp.





_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards