[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: linux vpn client(road warrior) connecting to checkpoint firewall
- To: Avishay Aton <cgadsl6(at-nospam)netvision.net.il>
- Subject: Re: linux vpn client(road warrior) connecting to checkpoint firewall
- From: Gilad Ben-Yossef <gilad(at-nospam)benyossef.com>
- Date: Wed, 31 Oct 2001 12:51:06 +0200
- CC: linux-il(at-nospam)cs.huji.ac.il
- References: <001601c161a7$6ef09da0$9100000a@lotion>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
- User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12-20 i686; en-US; m18) Gecko/20001107 Netscape6/6.0
Avishay Aton wrote:
> Hi,
>
> anyone knows ,if its possible , to connect "linux laptop" with dynamic
> ip to checkpoint
>
> fireall.
>
> I suppose,that if it possible ,it will be with freeswan(1.91).
>
> as a result its actually act "AS" secure remote client.
>
> has any one tried this ?
AFAIK (and I looked around) there is no Checkpoint support for secure
remote on anything but Windows nor a 3rd party product, incluing
FreeSwan, that can do this.,
FreeSWAN works great with fixed IPs, but has no dymaic IP support, and
it might even be a limitation of the IPSEC protocol it is implmenting
and not FreeSWAN itself - although I'm not sure about that.
What I usually do with remote Linux users is use "explicit
authentication" with S/KEY passwords to allow accessing SSH inside.
This means that a remote Unix user accesses the FW-1 web interface (port
990 if I'm not mistaken) first, logs in using a username an a one time
password (you'll need an S/key "client" like
http://www.linux.org/apps/AppId_869.html installed) and then is granted
the right to use SSH to some known inside machine for a fixed time frame
by IP. He can get extra time be "re logging". SSH TCP tunneling feature
is then used to gain access to any needed service.
I consider this almost as safe as secure remote (perhaps even safer when
you know that Outlook is not running on the remote workstation ;-) and
only slightly less easy as using SecureReote for someone already
familier with SSH.
Also, a big bird (no, no THAT big bird) whispered once (not too long
ago) in my ear in a bass voice that Checkpoint might be working on a
SecureRemote client for Linux implementation. It might even be in beta.
But don't hold your breath ;-)
Gilad.
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il