ipsec-tools / racoon support for Checkpoint VPN-1 proprietary XAUTH authentication

I posted about this a while back, and submitted a patch to the racoon developers list. However, I never heard anything back about it (despite other people asking about it now and then). Is that project actually dead or something?

Anyway, since nothing seems to be happening there, I’ve just packaged it up into an AUR build for arch linux, available here.

As I mentioned before, they’ve just copied XAUTH exactly, but changed the packet codes so they conflict with other message types.

There is one extra thing though: I’ve not implemented XAUTH_CPSC_CHALLENGE as that would require calling out to an external program to ask the user to enter a dynamic challenge password in the middle of the IPSEC negotiation. You can set Checkpoint up to SMS such a code to them on the initial connection to the VPN server, and it will require it during authentication.

Oh yes, in future when I’m trying to track down why my VPN connection drops after 10 minutes (I was looking at packet traces and everything!), I really should make sure I haven’t included an option like “lifetime time 10 minutes” in the config file. I find that tends to make it drop the connection after 10 minutes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: