[Openswan dev] CheckPoint SecureClient Hybrid mode authentication

Ken Bantoft ken at xelerance.com
Mon May 24 18:42:11 CEST 2004

On Mon, 24 May 2004, Chris Poon wrote:

> I know it's currently unsupported, but after a week of hacking around the
> XAuth code and a night of coding, I manage to hack together a bare minimal
> client that get thru the authentication. Personally, I think it's beyond
> my time and skill to make openswan support CP SecureClients authenticating
> against it, and from what I gathered, it seems unlikely that this kind of
> config will make it to the release because it's client-mode only. What are
> my options in terms of getting it supported in openswan? I think I have
> gathered enough info for someone who knows the code better to write
> cleaner code.

Post code, and it'll have a higher chance of being integrated :)  The 
biggest issue against it is 'How do we test this?' in some easy fashion.

Having client-mode only code is still quite useful, as server mode could 
be written, and then testing is much simpler to do in an automated way 
under UML.

> The CP Hybrid IKE goes like this
> Client --> Hybrid-mode only transforms of various forms --> Server
>            (AES-256/3DES/DES, SHA/MD5, RSA only)
> Client <-- Receive proposed transform                   <-- Server
> Client --> Key negotiation                              --> Server
> Client <-- Key negotiated                               <-- Server
> Client --> Sends empty ID (type ID_USER_FQDN)           --> Server
> Client <-- Receives Cert with Server IP as ID           <-- Server
> (usually a few duplicate packets from server will occur)
> Client <-- Authentication request                       <-- Server
>            (like XAuth but with proprietary values)
> Client --> Supplies User ID                             --> Server
> Client <-- Receives Password/Challenge request          <-- Server
> Client --> Supplies Password/Response to challenge      --> Server
> Client <-- Receives authentication status               <-- Server
> (Optional Office Mode configuration follows to create virtual interface)
> Client --> Requests for IP/Netmask/etc (using ModeCfg)  --> Server
> Client <-- Receives IP/Netmask/etc                      <-- Server
> (standard quick mode phase 2 follows)
> I try to leverage the XAuth client code as much as possible, but CheckPoint
> used different values for XAUTH_TYPE, XAUTH_USER_NAME and such, and it
> breaks the authentication into 2 stages which required me sticking new
> states into the state machine (and that itself was an adventure)

I'll bet.  State machine is complicated, and even small changes have a 
habit of breaking other features, or interop with other systems.

> I would like to see a variant of FreeS/WAN implementing this authentication
> scheme, preferrably Openswan seeing that it already have XAuth support which
> made it closer to supporting Hybrid mode. Running a 2.6 kernel, I don't think
> CheckPoint would make SecureClient for it. It would be even nicer with Office
> mode running under KLIPS 2.6. This is another step in fully eliminating the
> need for native Windows on my work laptop (still need Windows running VMWare
> to support Outlook but that's another story).

Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Dev mailing list