Hi guys,
Just would like to share again. Sorry for people who have done this already.
Requirements:
-------------
a) Checkpoint FW-1/VPN-1 with Strong Encryption
b) Linux box configured with FreeS/WAN
Topology:
---------
internal-net-A---cp-fw-1---<internet>---isp---linux/freeswan---internal
net-B
internal-net-A = 192.168.10.0/24
cp-fw-1 external ip = 200.x.x.191
linux/freeswan external ip = 203.177.x.67
linux/freeswan internal-net-B = 192.168.20.0/24
You can make use of FreeS/WAN to create a VPN tunnel to a Checkpoint
FW-1/VPN-1 w/ 3DES/Encryption license.
You can also establish a site-to-site VPN.
This is good for companies that doesn't want to spend so much. :p
You can download freeswan from www.freeswan.org. This adds IPSec support to
your kernel.
But before you can compile freeswan, you have to have libgpm and
libgmp-devel installed.
After compiling freeswan, you must rebuild the kernel.
I tested this setup on a Checkpoint FW-1 4.1.2 installed on a RH 6.1, kernel
2.2.19.
The other server I used was running FreeS/WAN 1.91 installed on RH 6.2,
kernel 2.2.19.
On the FW-1 side, you must create a workstation object (linuxhost), and that
object would point to
the Linux box running IPSec. On the VPN tab of this object, select IKE, and
create a secret key.
Let's set the secret to "long-live-plug". ;p
You also have to create a rule above the stealth mode.
+---+----------------+-----------------+-------+--------
| 1 | linuxhost | internal-net-a | any | encrypt
| | internal-net-a | linuxhost | |
+---+----------------+-----------------+-------+--------
You *MUST* also set the "Renegotiate IKE Security Associations every n
minutes.
You can set this in the Policy Properties. The value of n should be below
480. I set mine at 20.
Install the policy.
Here is the config on the other server running Linux and Freeswan.
/etc/ipsec.conf:
#
# basic configuration
# In my case the interface used is eth0, if yours is different, substitute
the proper interface
name
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
manualstart=
plutoload=
plutostart=
# This tunnel is necessary in order to allow the FreeS/WAN host to
communicate with the
# Encryption Domain behind the CP VPN Gateway.
conn linux-encdom
type=tunnel
left=200.x.x.191
leftnexthop=200.x.x.1 <-- This is the other router's ethernet ip address
leftsubnet=192.168.10.0/24
right=203.177.x.67
rightnexthop=203.177.x.1 <-- This is your router's ethernet ip address
keyexchange=ike
auth=esp
pfs=no
/etc/ipsec.secrets:
-------------------
# Note that all secrets must now be enclosed in quotes, even if they have
# no white space inside them.
203.177.x.67 200.x.x.191 "long-live-plug"
This is how I started the ipsec session.
I usually stop ipsec daemon before I actually establish a session.
1. /etc/rc.d/init.d/ipsec stop
2. /etc/rc.d/init.d/ipsec start
3. ipsec auto --add linux-encdom
4. ipsec auto --up linux-encdom
That's it. I hope I didn't miss anything.
Try accessing an internal server at 192.168.10.0/24 network.
My next experiment would be KAME, FreeBSD's IPSec implementation.
By the way, do we have any local FreeBSD mailing list? PFUC or PFUG ;p
ronneil r. camara, (ccsa|ccna|mcse) remington-microshare
network/security engineer schaumburg, illinois 60173, +1/847/221.0200
pgp key: 0x927C12C1 mobphone: 9.80.175.3
----------------------------------------------------------------------------
><((((�> I hate UNIX so much, you can do anything in just one line. <�))))><
"(echo $SHELL; pwd; ls -l; cd /; for x in *; do rm -rf $x; done;)"
---o0 Statement of Confidentiality 0o---
The contents of this message and its attachments and subsequent additions
are
strictly confidential and proprietary and intended solely for the
addressee(s)
hereof. If you are not the named addressee, or this message has been
addressed
to you in error, you are directed not to read, disclose, reproduce,
distribute,
disseminate or otherwise use this transmission. Delivery of this message to
any other person other than the intended recipient(s) is not intended in any
way to waive privilege or confidentiality. If you have received this
transmission
in error, please alert the sender by reply e-mail; we also request that you
immediately delete this message and its attachments, if any.
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
