Firewall Wizards mailing list archives
Checkpoint and Road-Warrior VPN
From: <damiank () anobi-asp com>
Date: Mon, 4 Feb 2002 10:01:51 -0600
I have a Checkpoint 5.0 FW1 server on a static IP and a Netscreen 5 on a dynamic IP. With ISAKMP this should work since you can use a pre-shared secret and Phase 1 Identification can occur using either the IP-Address, Subnet Address, FQDN, or an email address: ID_IPV4_ADDR , Value=1, Spec[RFC2407] ID_FQDN, Value=2, Spec[RFC2407] ID_USER_FQDN, Value=3, Spec[RFC2407] ID_IPV4_ADDR_SUBNET, Value=4, Spec[RFC2407] Since Phase 1 usually uses the IPV4_ADDR, we have to change this for dynamic clients since the Checkpoint won't be able to identify the IP which the Netscreen sends as it's identification string. I came really close to completing this by using an email address. I created a user on the Checkpoint using an email address (ID_TYPE=3) and used the same address on the Netscreen as it's local name. Under user settings on the Checkpoints User->Encryption tab, I enabled IKE encryption with a password equal to the Pre-Shared-Secret. At this point I tested it, with a sniffer I could see that the ID was indeed being passed in Phase 1 to the Checkpoint and instead of dropping the session, the Checkpoint was responding with its Phase 1 ID. In the Checkpoint Logs, it showed a successful authentication had occured. However, for some reason, on the Checkpoint's User->Authentication Tab, I can't just leave it as undefined (The Checkpoint will drop all connections with this set), I even tried setting up authentication on the Netscreen side with no success. Does anyone have any ideas on this? Thanks. Damian Kohlfeld Anobi Technology Corp. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Checkpoint and Road-Warrior VPN damiank (Feb 04)