Connecting to a Checkpoint Endpoint VPN using radius or SecureID with racoon

Introduction

At work we use a Checkpoint Endpoint VPN and although SNX works, it is not ideal and I would much rather have native IPsec. Thus the quest began.

I found this page which helped me get on the right track. I also found Andrew de Quincey’s patch. I then had all the components required to set this up.

Setting it up

Patching ipsec-tools

You need to patch ipsec-tools with the patch from Andrew de Quincey to add support for Checkpoints xauth to ipsec-tools.

Obtaining the internal CA certificate from the Checkpoint VPN

This can be a bit tricky if you have uncooperative network administrators, but you need to get them to run either on the VPN or the mds (depending on the setup)

   fwm exportcert -obj OBJ -cert defaultCert -pem -withroot -file checkpoint-cert.pkcs7

where OBJ is the name of the firewall object. After obtaining the pkcs7 file run

   openssl pkcs7 -in checkpoint-cert.pkcs7 -print_certs

Find the CA certificate in which is normally the one with headers like

   subject=/O=checkpoint.intranet.example.com..p9bkhs
   issuer= /O=checkpoint.intranet.example.com..p9bkhs

and not the one with headers like

   subject=/O=checkpoint.intranet.example.com..p9bkhs/CN=rhl7 VPN Certificate
   issuer= /O=checkpoint.intranet.example.com..p9bkhs

Copy this certificate to a suitable file, for example /etc/racoon/certs/name-of-vpn.pem.

Configuring racoon

Set up /etc/racoon/racoon.conf

path certificate "/etc/racoon/certs";

listen {
  adminsock "/var/run/racoon.sock" "root" "adm" 0660;
}

log info;

remote anonymous {
  exchange_mode main,base;
  nat_traversal on;
  doi ipsec_doi;
  proposal_check obey;

  mode_cfg on;
  script "/etc/racoon/phase1-up.sh" phase1_up;
  script "/etc/racoon/phase1-down.sh" phase1_down;

  ca_type x509 "/etc/racoon/certs/name-of-vpn.pem";

  verify_identifier on;

  my_identifier user_fqdn "USERNAME";

  proposal {
    encryption_algorithm aes;
    hash_algorithm sha256;
    authentication_method hybrid_rsa_client;
    dh_group modp2048;
  }
}

sainfo anonymous {
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}

where the permissions of adminsock is suitable to allow your normal user to start the vpn, unless you want to do it as root or using sudo. The certificate is the one extracted in the previous step.

For the phase1 scripts, you can use my phase1-up.sh and phase1-down.sh, find some other phase1 scripts or create your own. I have not added support for split tunell in my scripts, so if you need that you need to either modify the scripts or find more suitable scripts.

Unfortunately there is some information you need to get out of your network administrator, namely the settings for encryption_algorithm, hash_algorithm, dh_group and authentication_algorithm.

Starting it up

I reccomend starting up racoon in foreground debug mode to easier find problems

racoon -v -F -f /etc/racoon/racoon.conf

You can then run

/usr/sbin/racoonctl vc -u USERNAME vpn.name.or.ip

and hopefully you should be up and running. To disconnect run

/usr/sbin/racoonctl vd vpn.name.or.ip