Re: [TCLUG:6947] Linux VPN Client and IKE compliance

[Peter Lukas <peter@math.umn.edu>]

SecureRemote is a client-to-firewall VPN client.  Unfortunately, it is
only available for Windows platforms meaning all others are left VPN-less
(at lease in the SecuRemote sense).  This means that a remote client must
connect to and authenticate against the firewall with the SecuRemote
methods in order to establish a VPN to the network.

For remote (SecuRemote) connectivity (I'd assume this is how the CSA at
your site set it up), the client grabs it key from the Certificate
Authority and logs into the firewall and does it's uswal SecuRemote VPN
magic with it.  Since it's probably using some proprietary FW1 hooks, it's
not possible for you to establish a VPN with anything non-SecuRemote.  The
protocols used for encryption & authentication in their VPN (unless they
use FWZ1) aren't proprietary (although I'm beginning to suspect
anything OPSEC is slowly moving that direction), but the SecuRemote
authentication and Firewall information are proprietary meaning remote
connectivity will have to be done through the Windows Client.

All hope is not lost, though.  If SSH is allowed into your network, you
may create your own pseudo-VPN with it through the wonderful
port-forwarding features of SSH.  You should be able to ssh into a machine
on the trusted network and forward any required ports into it (in a
proxy-esque fashion).  This is cheaper than SecuRemote and it works with
virtually any platform!  It's not as transparent, and potentially not as
secure as SecuRemote, but it should be enough for you to get the job done.

Peter Lukas

On Tue, 13 Jul 1999, Unni Nambiar wrote:

> Hi,
> 
> My company uses a firewall server called Firewall-1 from Check Point
> Software (http://www.checkpoint.com).  Unfortunately the VPN client they
> provide called SecuRemote works only on windows.  Assuming that the
> protocols used for VPN cannot be proprietary, i've been hunting all over to
> find out how a Linux VPN client could communicate with Firewall-1 (so i can
> vpn into my office without switching to windoze.:-()
> 
> Finally I got this piece of information from someone else who had the same
> query.
> 
> <extract>
> 
> I read your post from last month on the firewall mailing list;
> FW-1 4.0 is IKE compliant; therefore, with cooperation from
> your firewall administrator, you could use any IKE compliant
> client (or SKIP-compliant, for that matter).  Not that I'm sure
> there are any such clients for Linux, but you aren't bound
> to SecuRemote for encrypted connectivity.  If you have a cisco
> router w/ a version of IOS which supports IKE, for instance,
> you could make a VPN connection, although life will be much
> easier if you have a static IP address (just the nature of IPSec).
> 
> </extract>
> 
> Okay, what i understood from this (and further exploration) is that if i can
> find a Linux VPN client whose key management scheme is IKE (or SKIP ?)
> compliant, then i should be in business.  The second part didn't make much
> sense, i don't know why i need a static IP address.
> 
> In any case, at this point i've hit a blank wall.  I'm unable to get any
> information on Linux VPN clients that are IKE compliant.  All searches seem
> to lead me to Linux VPN server setup.
> 
> Can anyone help or at least point me in the right direction ?
> 
> Thanks.
> 
> -Unni Nambiar
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
> 
>