[Openswan dev] CheckPoint SecureClient Hybrid mode authentication
Ken Bantoft
ken at xelerance.com
Mon May 24 18:42:11 CEST 2004
On Mon, 24 May 2004, Chris Poon wrote:
> I know it's currently unsupported, but after a week of hacking around the
> XAuth code and a night of coding, I manage to hack together a bare minimal
> client that get thru the authentication. Personally, I think it's beyond
> my time and skill to make openswan support CP SecureClients authenticating
> against it, and from what I gathered, it seems unlikely that this kind of
> config will make it to the release because it's client-mode only. What are
> my options in terms of getting it supported in openswan? I think I have
> gathered enough info for someone who knows the code better to write
> cleaner code.
Post code, and it'll have a higher chance of being integrated :) The
biggest issue against it is 'How do we test this?' in some easy fashion.
Having client-mode only code is still quite useful, as server mode could
be written, and then testing is much simpler to do in an automated way
under UML.
> The CP Hybrid IKE goes like this
> Client --> Hybrid-mode only transforms of various forms --> Server
> (AES-256/3DES/DES, SHA/MD5, RSA only)
> Client <-- Receive proposed transform <-- Server
> Client --> Key negotiation --> Server
> Client <-- Key negotiated <-- Server
> Client --> Sends empty ID (type ID_USER_FQDN) --> Server
> Client <-- Receives Cert with Server IP as ID <-- Server
> (usually a few duplicate packets from server will occur)
> Client <-- Authentication request <-- Server
> (like XAuth but with proprietary values)
> Client --> Supplies User ID --> Server
> Client <-- Receives Password/Challenge request <-- Server
> Client --> Supplies Password/Response to challenge --> Server
> Client <-- Receives authentication status <-- Server
> (Optional Office Mode configuration follows to create virtual interface)
> Client --> Requests for IP/Netmask/etc (using ModeCfg) --> Server
> Client <-- Receives IP/Netmask/etc <-- Server
> (standard quick mode phase 2 follows)
>
> I try to leverage the XAuth client code as much as possible, but CheckPoint
> used different values for XAUTH_TYPE, XAUTH_USER_NAME and such, and it
> breaks the authentication into 2 stages which required me sticking new
> states into the state machine (and that itself was an adventure)
I'll bet. State machine is complicated, and even small changes have a
habit of breaking other features, or interop with other systems.
> I would like to see a variant of FreeS/WAN implementing this authentication
> scheme, preferrably Openswan seeing that it already have XAuth support which
> made it closer to supporting Hybrid mode. Running a 2.6 kernel, I don't think
> CheckPoint would make SecureClient for it. It would be even nicer with Office
> mode running under KLIPS 2.6. This is another step in fully eliminating the
> need for native Windows on my work laptop (still need Windows running VMWare
> to support Outlook but that's another story).
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Dev
mailing list