How to connect a road warrior VPN linux client to a Check Point Firewall-1

Yesterday I received a message in the debian-user-spanish mailing list with subject: Conectarse por VPN a un Firewall-1

In that email the user was referring to very useful tutorial: Check Point Firewall-1 NG(X). I remembered that link as I used it to configure my first road warrior VPN client. But this document is outdated as the procedure to obtain the private key is not valid anymore. There is a new procedure that I documented in my personal wiki. In this post I am gonna copy & paste the right procedure from it.

This is a almost copy and paste procedure post. I am not going to explain all the “History/Theory” as it has been already well documented in the Check Point Firewall-1 NG(X) tutorial.

Get the needed files from the .pk12 certificate and put them in the right directories:

Retrieving DER-encoded CRL from CheckPoint

wget http://firewall-1:18264/ICA_CRL1.crl

Converting DER-encoded CRL to PEM-encoded and store it in related directory

openssl crl -in ICA_CRL1.crl -inform DER -outform PEM -out /etc/ipsec.d/crls/checkpoint.crl

Convert user certificate generated by Check Point Management from PKCS#12 to X.509

Extract private key of user PKCS#12, you have to specify first the import password (remember: given in GUI) and an export password

openssl pkcs12 -in vpnjuan.p12 -nocerts -out tempkey.pem

Convert private key of user to RSA:

openssl rsa -in tempkey.pem -des3 -out /etc/ipsec.d/private/vpnjuan-key.pem

Copy firewall-1-cert.pem (provided by your network admin) in /etc/ipsec.d/certs/firewall-1-cert.pem

Extract certificates of user from PKCS#12 to X.509 (results in a file containing the CA and the user certificate)

openssl pkcs12 -in vpnjuan.p12 -nokeys -out temp2.pem

Split singe file into different ones, results in e.g. firewall-1-internal-ca.pem (CA certificate is first one in file) and vpnjuan-cert.pem (user certificate is normally the second one in file) The header part of the CA certificate is like:

subject=/O=checkpoint.intranet.example.com..p9bkhs

issuer= /O=checkpoint.intranet.example.com..p9bkhs

The header of the user certificate is like:

subject=/O=checkpoint.intranet.example.com..p9bkhs/OU=users/CN=freeswan

issuer=/O=checkpoint.intranet.example.com..p9bkhs

Copy user X.509 certificate to related Openswan directory

cp vpnjuan-cert.pem /etc/ipsec.d/certs

Copy firewall-1 CA certificate to related Openswan directory

cp firewall-1-internal-ca.pem /etc/ipsec.d/cacerts

Modifying the .conf files:

Add the following line to /etc/ipsec.secrets

: RSA /etc/ipsec.d/private/vpnjuan-key.pem %prompt

Modify the /etc/ipsec.conf depending your own configuration:

# /etc/ipsec/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.15-r2/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0
#       plutodebug=all
        protostack=netkey
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/

## RoadWarrior to Net behind Gateway: FreeS/WAN X.509 <-> Check Point - Net
conn MYCOMPANYCONNECTION
    # Right side is FreeS/WAN RoadWarrior
    right=%defaultroute
    rightrsasigkey=%cert
    rightcert=vpnjuan-cert.pem
    # Left side is Check Point
    left=X.X.X.X          ### put here your firewall's IP address
    leftsubnet=10.0.0.0/8 ### put here your company's network range
    leftcert=firewall-1-cert.pem
    leftid=X.X.X.X        ### put here your firewall's IP address
    # config
    type=tunnel
    keyingtries=3
    disablearrivalcheck=no
    authby=rsasig
    auth=esp
    keyexchange=ike
    auto=route

Procedure to connect:

Restart ipsec daemon to reread configuration:

mediacenter:/etc/ipsec.d/certs# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.38-2-amd64...

Insert the passphrase of yout private key:

mediacenter:/etc/ipsec.d/certs# ipsec auto --rereadsecrets
040 need passphrase for '/etc/ipsec.d/private/vpnjuan-key.pem'
Enter passphrase:

Start the VPN:

mediacenter:/etc/ipsec.d/certs# ipsec auto –up MYCOMPANYCONNECTION

104 "MYCOMPANYCONNECTION" #1: STATE_MAIN_I1: initiate
003 "MYCOMPANYCONNECTION" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
106 "MYCOMPANYCONNECTION" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "MYCOMPANYCONNECTION" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "MYCOMPANYCONNECTION" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "MYCOMPANYCONNECTION" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "MYCOMPANYCONNECTION" #2: STATE_QUICK_I1: initiate
003 "MYCOMPANYCONNECTION" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1a0f153c
004 "MYCOMPANYCONNECTION" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6ae22f40 <0x4bca9ef5 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Launch the rdesktop (terminal server client for linux) against your Pc’s IP address and have fun!

mediacenter:/etc/ipsec.d/certs# rdesktop X.X.X.X

Share

7 thoughts on “How to connect a road warrior VPN linux client to a Check Point Firewall-1

    • Sorry but I don’t know anything about the “checkpoint entpoint security client for R75” but the good news is that It works perfectly on my three debian based servers. 🙂

      I hope it helps you.

      Best regards.

  1. Do you need some special configuration option on the checkpoint?

    Which type of configuration/vpn is needed at checkpoint fw?

  2. Sorry, I have no idea as the FW is managed by other admin.

    AFAIK no special configuration is needed as I can connect to the FW using the official windows client and the method explained in this post

Leave a Reply

Your email address will not be published. Required fields are marked *