[Openswan dev] CheckPoint SecureClient Hybrid mode authentication

Mon May 24 01:47:03 CEST 2004

I know it's currently unsupported, but after a week of hacking around the
XAuth code and a night of coding, I manage to hack together a bare minimal
client that get thru the authentication. Personally, I think it's beyond
my time and skill to make openswan support CP SecureClients authenticating
against it, and from what I gathered, it seems unlikely that this kind of
config will make it to the release because it's client-mode only. What are
my options in terms of getting it supported in openswan? I think I have
gathered enough info for someone who knows the code better to write
cleaner code.

The CP Hybrid IKE goes like this
Client --> Hybrid-mode only transforms of various forms --> Server
           (AES-256/3DES/DES, SHA/MD5, RSA only)
Client <-- Receive proposed transform                   <-- Server
Client --> Key negotiation                              --> Server
Client <-- Key negotiated                               <-- Server
Client --> Sends empty ID (type ID_USER_FQDN)           --> Server
Client <-- Receives Cert with Server IP as ID           <-- Server
(usually a few duplicate packets from server will occur)
Client <-- Authentication request                       <-- Server
           (like XAuth but with proprietary values)
Client --> Supplies User ID                             --> Server
Client <-- Receives Password/Challenge request          <-- Server
Client --> Supplies Password/Response to challenge      --> Server
Client <-- Receives authentication status               <-- Server
(Optional Office Mode configuration follows to create virtual interface)
Client --> Requests for IP/Netmask/etc (using ModeCfg)  --> Server
Client <-- Receives IP/Netmask/etc                      <-- Server
(standard quick mode phase 2 follows)

I try to leverage the XAuth client code as much as possible, but CheckPoint
used different values for XAUTH_TYPE, XAUTH_USER_NAME and such, and it
breaks the authentication into 2 stages which required me sticking new
states into the state machine (and that itself was an adventure)

I would like to see a variant of FreeS/WAN implementing this authentication
scheme, preferrably Openswan seeing that it already have XAuth support which
made it closer to supporting Hybrid mode. Running a 2.6 kernel, I don't think
CheckPoint would make SecureClient for it. It would be even nicer with Office
mode running under KLIPS 2.6. This is another step in fully eliminating the
need for native Windows on my work laptop (still need Windows running VMWare
to support Outlook but that's another story).

Thanks in advance for replies.