Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A Perl script for configuring and starting racoon' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A Perl script for configuring and starting racoon
Authored by: tji on Feb 13, '04 05:01:13PM

This script is great. I just used it to set up a VPN connection to my "Check Point VPN-1 NG AI" firewall. Here are a few notes on my config settings:

- I used Pre-Shared secrets for authentication. Note that this is not the same as OS Password or other password methods. Check Point uses their proprietary "hybrid mode" authentication for those. You must define the user's password in the pre-shared secrets config on the firewall.

- My VPN-1 was configured to use AES encryption, so I had to tweak the configuration a bit to do this (leave the crypto in the proposal section as 3des, in the sainfo section change it to "aes 128"). The script uses the same encryption algorithm for the proposal (IKE) as the IPSec session. This is not necessarily correct. IPSec devices sometimes use different encryption for each. Mine uses AES-256 or 3DES for IKE, and AES-128 IPSec. This could also be changed in the VPN-1 user settings, so it would use 3DES for both.

- I have "Aggressive mode" enabled on VPN-1. The VPNTracker docs say to enable this. I'm not sure if it's really needed or not. I may try to disable it & see if I can still connect. (Aggressive mode is OFF by default in VPN-1)

- VPNTracker has settings to do certificates with VPN-1, so I assume it's possible. If I get real ambitious, I might try to do this too.


The debugging capabilities of MacOS's IPSec are not great.. If your firewall admin is not willing to work with you on this, it could be very difficult to determine what is stopping it from working.

Also, there are some other VPN-1 features that might stop this from working.. VPN-1 can be configured to enforce "SCV Checks", this is a feature of their SecureClient software that confirms the client is using the approved firewall policy on their system, various OS security/integrity checks are passed, and sometimes that related apps like anti-virus scanners are installed and up to date. If the admin has it configured to disallow clients that don't pass these checks, you will not be able to connect.



[ Reply to This | # ]