[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: linux vpn client(road warrior) connecting to checkpoint firewall





Avishay Aton wrote:

> Hi,
> 
> anyone knows ,if its possible , to connect "linux laptop" with dynamic 
> ip to checkpoint
> 
> fireall.
> 
> I suppose,that if it possible ,it will be with freeswan(1.91).
> 
> as a result its actually act "AS" secure remote client.
> 
> has any one tried this ?

AFAIK (and I looked around) there is no Checkpoint support for secure 
remote on anything but Windows nor a 3rd party product, incluing 
FreeSwan, that can do this.,

FreeSWAN works great with fixed IPs, but has no dymaic IP support, and 
it might even be a limitation of the IPSEC protocol it is implmenting 
and not FreeSWAN itself - although I'm not sure about that.

What I usually do with remote Linux users is use "explicit 
authentication" with S/KEY passwords to allow accessing SSH inside.

This means that a remote Unix user accesses the FW-1 web interface (port 
990 if I'm not mistaken) first, logs in using a username an a one time 
password (you'll need an S/key "client" like 
http://www.linux.org/apps/AppId_869.html installed) and then is granted 
the right to use SSH to some known inside machine for a fixed time frame 
by IP. He can get extra time be "re logging". SSH TCP tunneling feature 
is then used to gain access to any needed service.

I consider this almost as safe as secure remote (perhaps even safer when 
you know that Outlook is not running on the remote workstation ;-) and 
only slightly less easy as using SecureReote for someone already 
familier with SSH.

Also, a big bird (no, no THAT big bird) whispered once (not too long 
ago) in my ear in a bass voice that Checkpoint might be working on a 
SecureRemote client for Linux implementation. It might even be in beta.
But don't hold your breath ;-)

Gilad.


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il