Check Point Firewall-1 NG(X)

VPN between Check Point Firewall-1 NG(X) and (Linux) Openswan (former FreeS/WAN)


AERAsec Network Services and Security GmbH


URLs: Obsolete but informational URLs:

Content


Support matrix

Notes:
1 Patched with FreeS/WAN algorithm extensions
2 Not working in client/gateway ("roadwarrior") scenario
3 Patched with FreeS/WAN X.509 extension or configured with extracted RSA signature key

IKE encryption



IKE encryption
Method:
DES BLOWFISH 3DES CAST AES SERPENT TWOFISH SSH_PRIVATE

Check Point VPN-1 NG FP2
yes
no
yes
yes
(128)
yes
(256)
no no
 no
Check Point VPN-1 NGX R61 yes no
yes
yes
(128)
yes
(128,256)
no
no
no

Linux FreeS/WAN 1.96
no
no
yes
no
no
no   no
 no
Linux FreeS/WAN 1.98b no yes1 yes yes1 yes1
(128,256)
yes1 yes1 yes1
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 yes
(56)
yes
yes
yes
yes1
(128,256)
yes
yes
no

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2
no no yes no no no  no  no
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2
no
no
working
working2
(128)
working2
(256)
no
no
no
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61 noa)
no
working
nob)
working
(128,256)
no
no
no
a) Openswan doesn't allow this
b) Openswan claim about " enc ealg_id=6 not present", while kernel modules "cast5" and "cast6" are loaded

IKE integrity and authentication



IKE integrity
IKE authentication
Method:
MD5 SHA1 SHA2 Pre-Shared Secret Public Key Signatures

Check Point VPN-1 NG FP2
Check Point VPN-1 NGX R61
 yes
yes
no
yes yes

Linux FreeS/WAN 1.96
 yes
yes
no
yes yes3
Linux FreeS/WAN 1.98b  yes  yes
yes1
(256,512)
yes yes3
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 yes
yes
noa)
yes
yes

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2 working incompatible no working working
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2
working
working
no working working
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61 working
working
no
working
working
a) Openswan doesn't support this in configuration

IKE Diffie-Hellman Groups and Perfect Forward Secrecy



Diffie-Hellman Groups
Perfect
Forward
Secrecy
  768
(1)
1024
(2)
1536
(5)
2048
(14)
3072
(15)
4096
(16)
6144
(17)
8196
(18)

Check Point VPN-1 NG FP2
 yes
yes
yes
no no no no
no
yes
Check Point VPN-1 NGX R61
 yes
yes
yes
yes no no no
no
yes

Linux FreeS/WAN 1.96  no
yes
yes
no no no no no yes
Linux FreeS/WAN 1.98b no
 yes
yes
yes1 yes1 yes1 no no yes
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 no
yes
yes
yes
yes
yes
yes
yes
yes

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2 no
working
working
no
no
no
no
no
incompatible
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2 no
working
working
no
no
no
no
no
working*)
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61 no
working
working
working
no
no
no
no
working*)

*) Diffie-Hellman group cannot be specified dedicated for Perfect Forward Secrecy in Openswan, same group is used as specified for IKE (Phase 1).

Payload encryption



Payload encryption
Method:
DES
(2)
BLOWFISH
(7)
3DES
(3)
CAST
(6)
AES
SERPENT TWOFISH SSH_PRIVATE NULL
(11)

Check Point VPN-1 NG FP2
yes
(40,56)
no
yes
yes
(40,128)
yes
(128,256)
no no
 no
?
Check Point VPN-1 NGX R61 yes
(40,56)
no
yes
yes
(40,128)
yes
(128,256)
no
no
no
yes

Linux FreeS/WAN 1.96
no
no
yes
no
no
no   no
 no
?
Linux FreeS/WAN 1.98b no yes1 yes yes1 yes1
(128,256)
yes1 yes1 yes1 ?
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 yes
yes
yes
yes
yes
(128,256)
yes
yes
no
yes

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2 no no working no no no  no  no ?
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2
no
no
working
working
(40,128)
working
(128,256)
no
no
no
?
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61 working
(56)
no
working
nob)
working
(128,256)
no
no
no
noa)
a) Openswan warns and netlink doesn't allow this
b) Openswan claim about " enc ealg_id=6 not present", while kernel modules "cast5" and "cast6" are loaded

Payload integrity and compression



Payload integrity
Compression
Method:
MD5 SHA1 SHA2 DEFLATE

Check Point VPN-1 NG FP2
Check Point VPN-1 NGX R61
 yes
yes
no
yes

Linux FreeS/WAN 1.96  yes
yes
no
yes
Linux FreeS/WAN 1.98b  yes  yes
yes1
(256,512)
yes
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 yes
yes
no
yes

Linux FreeS/WAN 1.96 vs. Check Point VPN-1 NG FP2 working incompatible no working
Linux FreeS/WAN 1.98b vs. Check Point VPN-1 NG FP2
working
working
no working
kernel 2.6.17-1.2157_FC5 / openswan 2.4.4-1.1.2.1 vs. Check Point VPN-1 NGX R61 working
working
no
incompatiblea)
a) Check Point VPN-1 claims about: "IKE: Quick Mode Failed to match proposal: Transform: DEFLATE Reason: Not configured to support: IPComp."

Specifying other encryption methods in Linux Openswan

Note: in roadwarrior setup with Check Point firewall as server gateway, the IKE encryption and integrity has to be 3DES and MD5. Nothing else was confirmed working in our lab.

Unresolved issues

currently none knowing 

Solved issues



No warranty at all, your Feedback is welcome!
© 2002-2011 AERAsec Network Services and Security GmbH, last change 2006-08-07
back to http://www.vpn-1.de/aerasec/