I need to setup a Checkpoint VPN client with a customer who gave me these settings:
- Authentication Type: P12 certificate
- Password: *****
- Peer Site: IP_ADDRESS
They tell me the VPN server is:
- IPSO 6.2
- CheckPoint R70.40
I have nothing more. I can connect with Checkpoint's Windows Client without issues.
What options do I have?
I read other related questions on this and other sites, but there is no definitive answer.
I have connected to Checkpoint NGX (R75) using Shrew Soft VPN Client (in Debian/Ubuntu the package is named "ike").
Start by reading the guide here: http://www.shrew.net/support/wiki/HowtoCheckpoint (since you already have the certificate, you can skip the opening steps about creating one and skip straight to Converting the Certificate).
If you have a certificate plus password, it looks like you will be using mutual RSA + XAuth.
I didn't have access to the gateway web configuration interface but I was able to use OpenSSL (try:
openssl pkcs12 --help
) to export the CA and client certificates and private key from my .p12 into three separate files.Once Shrew is accepting the credentials, you can run
iked -d 6 -F
to see detailed debugging output as the connection is established.I was still a few settings away from it working at this point, but I found this thread on the Shrew mailing list useful: http://lists.shrew.net/pipermail/vpn-help/2010-May/002413.html (follow the replies). I went through the config files posted by Luca Arzeni, such as in this message, trying each setting, and eventually got past my error ("peer unknown notification") by manually specifying the IKE encryption settings (Phase 1 and Phase 2).
Good luck!