Does checkpoint supports newer version of kernel? how about sp4? or
checkpoint NG? what i only know is it supports redhat 6.1.
----- Original Message -----
From: "Ronneil Camara" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 25, 2001 10:20 PM
Subject: [plug] FreeS/WAN and Checkpoint
> Hi guys,
>
> Just would like to share again. Sorry for people who have done this
already.
>
> Requirements:
> -------------
> a) Checkpoint FW-1/VPN-1 with Strong Encryption
> b) Linux box configured with FreeS/WAN
>
> Topology:
> ---------
> internal-net-A---cp-fw-1---<internet>---isp---linux/freeswan---internal
> net-B
>
> internal-net-A = 192.168.10.0/24
> cp-fw-1 external ip = 200.x.x.191
> linux/freeswan external ip = 203.177.x.67
> linux/freeswan internal-net-B = 192.168.20.0/24
>
> You can make use of FreeS/WAN to create a VPN tunnel to a Checkpoint
> FW-1/VPN-1 w/ 3DES/Encryption license.
> You can also establish a site-to-site VPN.
>
> This is good for companies that doesn't want to spend so much. :p
>
> You can download freeswan from www.freeswan.org. This adds IPSec support
to
> your kernel.
> But before you can compile freeswan, you have to have libgpm and
> libgmp-devel installed.
> After compiling freeswan, you must rebuild the kernel.
>
> I tested this setup on a Checkpoint FW-1 4.1.2 installed on a RH 6.1,
kernel
> 2.2.19.
> The other server I used was running FreeS/WAN 1.91 installed on RH 6.2,
> kernel 2.2.19.
>
> On the FW-1 side, you must create a workstation object (linuxhost), and
that
> object would point to
> the Linux box running IPSec. On the VPN tab of this object, select IKE,
and
> create a secret key.
> Let's set the secret to "long-live-plug". ;p
>
> You also have to create a rule above the stealth mode.
>
> +---+----------------+-----------------+-------+--------
> | 1 | linuxhost | internal-net-a | any | encrypt
> | | internal-net-a | linuxhost | |
> +---+----------------+-----------------+-------+--------
>
> You *MUST* also set the "Renegotiate IKE Security Associations every n
> minutes.
> You can set this in the Policy Properties. The value of n should be below
> 480. I set mine at 20.
>
> Install the policy.
>
> Here is the config on the other server running Linux and Freeswan.
>
> /etc/ipsec.conf:
> #
> # basic configuration
> # In my case the interface used is eth0, if yours is different, substitute
> the proper interface
> name
> config setup
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=none
> manualstart=
> plutoload=
> plutostart=
>
> # This tunnel is necessary in order to allow the FreeS/WAN host to
> communicate with the
> # Encryption Domain behind the CP VPN Gateway.
> conn linux-encdom
> type=tunnel
> left=200.x.x.191
> leftnexthop=200.x.x.1 <-- This is the other router's ethernet ip address
> leftsubnet=192.168.10.0/24
> right=203.177.x.67
> rightnexthop=203.177.x.1 <-- This is your router's ethernet ip address
> keyexchange=ike
> auth=esp
> pfs=no
>
> /etc/ipsec.secrets:
> -------------------
> # Note that all secrets must now be enclosed in quotes, even if they have
> # no white space inside them.
> 203.177.x.67 200.x.x.191 "long-live-plug"
>
> This is how I started the ipsec session.
>
> I usually stop ipsec daemon before I actually establish a session.
>
> 1. /etc/rc.d/init.d/ipsec stop
> 2. /etc/rc.d/init.d/ipsec start
> 3. ipsec auto --add linux-encdom
> 4. ipsec auto --up linux-encdom
>
> That's it. I hope I didn't miss anything.
>
> Try accessing an internal server at 192.168.10.0/24 network.
>
> My next experiment would be KAME, FreeBSD's IPSec implementation.
> By the way, do we have any local FreeBSD mailing list? PFUC or PFUG ;p
>
> ronneil r. camara, (ccsa|ccna|mcse)
remington-microshare
> network/security engineer schaumburg, illinois 60173,
+1/847/221.0200
> pgp key: 0x927C12C1 mobphone:
9.80.175.3
> --------------------------------------------------------------------------
--
>
> ><((((�> I hate UNIX so much, you can do anything in just one line.
<�))))><
> "(echo $SHELL; pwd; ls -l; cd /; for x in *; do rm -rf $x; done;)"
>
> ---o0 Statement of Confidentiality 0o---
>
> The contents of this message and its attachments and subsequent additions
> are
> strictly confidential and proprietary and intended solely for the
> addressee(s)
> hereof. If you are not the named addressee, or this message has been
> addressed
> to you in error, you are directed not to read, disclose, reproduce,
> distribute,
> disseminate or otherwise use this transmission. Delivery of this message
to
>
> any other person other than the intended recipient(s) is not intended in
any
>
> way to waive privilege or confidentiality. If you have received this
> transmission
> in error, please alert the sender by reply e-mail; we also request that
you
> immediately delete this message and its attachments, if any.
>
>
>
>
> _
> Philippine Linux Users Group. Web site and archives at
http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
>
> To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
