I just got a Nokia IP440 running CheckPoint 4.1 to communicate reliably with an OpenBSD 2.9/isakmpd VPN. I also have two OpenBSD 2.9/isakmpd's with one of the endpoints behind a NAT to work reliably.
I currently have multiple Road Warrior SafeNet clients communicating with an Isakmpd Gateway, authenticating with digital certificates. The concentrator is also communicating with other gateways.
Scripts to create ca, certs, local cert, pkcs12 files
My usual sequence of commands is:
$ ./make-ca
$ ./make-local vpn.protectix.com
$ ./make-cert mobile.protectix.com
The scripts as they stand use FQDN as the identifier. Modifying them to
use IP is trivial. I typically only put the FQDN in the name field of the
certificate and leave the other items blank. One could automate this with
a 'here' document.
The pkcs12 format is needed by the SafeNet client. It is basically a bag
containing both the certificate and the private key.
vpn.manual is an example of how to get two OpenBSD boxes talking with manual keying.
rc.vpn is an example of how to start OpenBSD VPN manually.
The version of isakmpd that ships with OpenBSD 2.8 has some bugs that make it difficult to work with. These should be fine in OpenBSD 2.9. Until that version is available, here is a text file on how to upgrade the isakmpd and do several other things to patch it up.
My goal is to have these categories filled in as people have needs for that configuration and contribute their files. The file name convention is:
FileType-LocalDaemon-LocalOS-LocalTerminationType-LocalAddress -RemoteDaemon-RemoteOS-RemoteTerminationType-RemoteAddress -Identification Where FileType is Log or Conf Where LocalDaemon is isakmpd, Win2kIPSec, KAME, FreeSWAN, SafeNet, PGPNet, etc Where LocalOS is OpenBSD, NetBSD, FreeBSD, Linux, Win2k, Win98, MacOS, etc Where LocalTerminationType is Client or Gateway Where RemoteAddress is FixedIP or RoadWarrior Where RemoteDaemon is similar to Local Daemon Where RemoteOS is similar to Local OS Where RemoteTermination Type is similar to Local Termination Type Where RemoteAddress is similar to Local Address Where Identification is SharedSecrets or Certificates
Note, it doesn't make sense for most Windows Clients to specify that they are a Gateway or for both termination types to be Clients.
Eventually, once enough information is aggregated, a VPN config-o-matic set of scripts can be made to automatically generate config files and show example logs.
While this should work, I had lots of problems with X sessions hanging and vi sessions locking up. Also incoming connections would often freeze while delivering mail, etc.