Check Point Firewall-1 NG(X)

VPN between Check Point Firewall-1 NG(X) and (Linux) Openswan (former FreeS/WAN)

URLs:

Openswan
TinyCA (Perl based X11 application for CA operations)
XCA (X11 application for CA operations)
SOHO VPN Router Project (VPN between OpenWRT powered routers and Check Point)

Obsolete but informational URLs:

FreeS/WAN (no longer maintained, superseeded by Openswan)
www.freeswan.ca (no longer maintained, superseeded by Openswan)
FreeS/WAN X.509 extension (no longer maintained, integrated into Openswan)
fswcert tool from strongSec (no longer needed for Openswan configuration)

Content

Gateway-to-Gateway setup (dedicated page)
RoadWarrior-to-Gateway setup (dedicated page)
Support matrix
Specifying other algorithms in Openswan
Unresolved issues

Support matrix

Notes:
¹ Patched with FreeS/WAN algorithm extensions
² Not working in client/gateway ("roadwarrior") scenario
³ Patched with FreeS/WAN X.509 extension or configured with extracted RSA signature key

IKE encryption

Method:	DES	BLOWFISH	3DES	CAST	AES	SERPENT	TWOFISH	SSH_PRIVATE
	IKE encryption

Check Point VPN-1 NG FP2	yes	no	yes	yes (128)	yes (256)	no	no	no
Check Point VPN-1 NGX R61	yes	no	yes	yes (128)	yes (128,256)	no	no	no

Linux FreeS/WAN 1.96	no	no	yes	no	no	no	no	no
Linux FreeS/WAN 1.98b	no	yes¹	yes	yes¹	yes¹ (128,256)	yes¹	yes¹	yes¹
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1	yes (56)	yes	yes	yes	yes¹ (128,256)	yes	yes	no

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2	no	no	yes	no	no	no	no	no
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2	no	no	working	working² (128)	working² (256)	no	no	no
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61	no^a)	no	working	no^b)	working (128,256)	no	no	no

^a) Openswan doesn't allow this
^b) Openswan claim about " enc ealg_id=6 not present", while kernel modules "cast5" and "cast6" are loaded

IKE integrity and authentication

Method:	MD5	SHA1	SHA2	Pre-Shared Secret	Public Key Signatures
	IKE integrity			IKE authentication

Check Point VPN-1 NG FP2 Check Point VPN-1 NGX R61	yes	yes	no	yes	yes

Linux FreeS/WAN 1.96	yes	yes	no	yes	yes³
Linux FreeS/WAN 1.98b	yes	yes	yes¹ (256,512)	yes	yes³
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1	yes	yes	no^a)	yes	yes

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2	working	incompatible	no	working	working
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2	working	working	no	working	working
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61	working	working	no	working	working

^a) Openswan doesn't support this in configuration

IKE Diffie-Hellman Groups and Perfect Forward Secrecy

	768 (1)	1024 (2)	1536 (5)	2048 (14)	3072 (15)	4096 (16)	6144 (17)	8196 (18)	Perfect Forward Secrecy
	Diffie-Hellman Groups								Perfect Forward Secrecy

Check Point VPN-1 NG FP2	yes	yes	yes	no	no	no	no	no	yes
Check Point VPN-1 NGX R61	yes	yes	yes	yes	no	no	no	no	yes

Linux FreeS/WAN 1.96	no	yes	yes	no	no	no	no	no	yes
Linux FreeS/WAN 1.98b	no	yes	yes	yes¹	yes¹	yes¹	no	no	yes
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1	no	yes	yes	yes	yes	yes	yes	yes	yes

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2	no	working	working	no	no	no	no	no	incompatible
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2	no	working	working	no	no	no	no	no	working^*)
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61	no	working	working	working	no	no	no	no	working^*)

^*) Diffie-Hellman group cannot be specified dedicated for Perfect Forward Secrecy in Openswan, same group is used as specified for IKE (Phase 1).

Payload encryption

Method:	DES (2)	BLOWFISH (7)	3DES (3)	CAST (6)	AES	SERPENT	TWOFISH	SSH_PRIVATE	NULL (11)
	Payload encryption

Check Point VPN-1 NG FP2	yes (40,56)	no	yes	yes (40,128)	yes (128,256)	no	no	no	?
Check Point VPN-1 NGX R61	yes (40,56)	no	yes	yes (40,128)	yes (128,256)	no	no	no	yes

Linux FreeS/WAN 1.96	no	no	yes	no	no	no	no	no	?
Linux FreeS/WAN 1.98b	no	yes¹	yes	yes¹	yes¹ (128,256)	yes¹	yes¹	yes¹	?
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1	yes	yes	yes	yes	yes (128,256)	yes	yes	no	yes

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2	no	no	working	no	no	no	no	no	?
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2	no	no	working	working (40,128)	working (128,256)	no	no	no	?
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61	working (56)	no	working	no^b)	working (128,256)	no	no	no	no^a)

^a) Openswan warns and netlink doesn't allow this
^b) Openswan claim about " enc ealg_id=6 not present", while kernel modules "cast5" and "cast6" are loaded

Payload integrity and compression

Method:	MD5	SHA1	SHA2	DEFLATE
	Payload integrity			Compression

Check Point VPN-1 NG FP2 Check Point VPN-1 NGX R61	yes	yes	no	yes

Linux FreeS/WAN 1.96	yes	yes	no	yes
Linux FreeS/WAN 1.98b	yes	yes	yes¹ (256,512)	yes
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1	yes	yes	no	yes

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2	working	incompatible	no	working
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2	working	working	no	working
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61	working	working	no	incompatible^a)

^a) Check Point VPN-1 claims about: "IKE: Quick Mode Failed to match proposal: Transform: DEFLATE Reason: Not configured to support: IPComp."

Specifying other encryption methods in Linux Openswan

Specify the method for IKE encryption and integrity and the Diffie-Hellmann group (note that this group will be also used in Perfect Forward Secrecy, if enabled)

AES-256, SHA1 and 1536 for Diffie-Hellman

ike=aes256-sha-modp1536

AES-128, SHA1 and 1536 for Diffie-Hellman

ike=aes128-md5-modp1536

Specify the payload encryption and integrity

AES-256 and SHA1

esp=aes256-sha1

Note: in roadwarrior setup with Check Point firewall as server gateway, the IKE encryption and integrity has to be 3DES and MD5. Nothing else was confirmed working in our lab.

Unresolved issues

currently none knowing

Solved issues

FreeS/WAN with X.509 has troubles recognizing the identity sent by the Check Point FW-1, got ID_IPV4_ADDR instead of a DN. Therefore the public key has to be extracted using fswcert tool.

Sep 10 16:35:02 linux pluto[3203]: "freeswan-checkpointng-x509" #3: Peer ID is ID_IPV4_ADDR: '1.2.3.4'

Sep 10 16:35:02 linux pluto[3203]: "freeswan-checkpointng-x509" #3: Issuer CRL not found

Sep 10 16:35:02 linux pluto[3203]: "freeswan-checkpointng-x509" #3: we require peer to have ID 'O=checkpoint.lab.aerasec

.de..ab12cd, CN=checkpoint VPN Certificate', but peer declares '1.2.3.4'

Solution: at least using openswan-2.4.4-1.1.2.1, this can be specifed with parameter "leftid" (or "rightid") and would be proper recognized now.

FreeS/WAN has troubles with CRLs from Check Point FW-1 - reason unknown... - not seen anymore on FreeS/WAN 1.99 and X.509 extension 0.9.15

Related error message: CRL signature is invalid

FreeS/WAN log message ignoring informational payload, type IPSEC_RESPONDER_LIFETIME

[Contributed by Gerrit Hannaert]
These results in the connection seem to continue (Check Point VPN-1 keep getting incremented) after a certain time (probably specified by the firewall), but no traffic coming through afterwards. The solution is simple: let FreeS/Wan specify a lower keylife than the firewall does. See document at lists.freeswan.ca/2003-January/000508

No warranty at all, your Feedback is welcome!
© 2002-2011 AERAsec Network Services and Security GmbH, last change 2006-08-07
back to http://www.vpn-1.de/aerasec/