topic Re: Multiple IPsec VPN certificates in Firewall and Security Management

Multiple IPsec VPN certificates

Martin_Raska — Mon, 12 Dec 2022 15:49:26 GMT

Hello,

do we support Multiple VPN certificates per GW? I mean GW should use different External VPN certificate per VPN community tunnel?

The partner manages one firewall of two different entities(customers), and each entity has its own CA which signs the VPN certificate used for IPSec VPN tunnel. There are two communities and two different VPN certificates.

Example:

Community A - use my.firewall.com signed by ICA-1

Community B - use my.firewall.com signed by ICA-2

Both certificates are imported in GW object under IPsec VPN tab, but when establishing VPN tunnels, GW is always sending the first certificate signed by ICA-1 no matter what tunnel is it.

Re: Multiple IPsec VPN certificates

_Val_ — Mon, 12 Dec 2022 15:57:25 GMT

I would rather advise defining your own CA as trusted with either partner and using your existing GW VPN cert.

Re: Multiple IPsec VPN certificates

Martin_Raska — Mon, 12 Dec 2022 16:46:04 GMT

So its not supported?

Re: Multiple IPsec VPN certificates

PhoneBoy — Mon, 12 Dec 2022 23:15:38 GMT

Have you imported the public key for the other CA into a newly created OPSEC CA object?
Have you configured that CA as one of the trusted certificate authorities for that gateway?

Re: Multiple IPsec VPN certificates

the_rock — Mon, 12 Dec 2022 23:35:14 GMT

Im fairly positive its supported, seen people have it that way and it works. Will see if I can find the process to make that work.

Re: Multiple IPsec VPN certificates

_Val_ — Tue, 13 Dec 2022 08:05:43 GMT

It is supported, but you must add a trusted CA for each certificate, which is unnecessary admin overhead.

Re: Multiple IPsec VPN certificates

Martin_Raska — Tue, 13 Dec 2022 10:39:50 GMT

I dont have access there but from the screenshot, I can see its done. The customer's CAs are imported as trusted.

The customer is already using it in this configuration - Community A - my.firewall.com signed by ICA-1 and its working.

They want to add this configuration - Community B - my.firewall.com signed by ICA-2

But in IKE negotiation for tunnel Community B, FW is sending only my.firewall.com signed by ICA-1 not the second one or all of them.

The question here is how can you tell GW which certificate should use it for each VPN tunnel? I am not aware of such configuration.

Re: Multiple IPsec VPN certificates

the_rock — Tue, 13 Dec 2022 11:11:28 GMT

Hey @Martin_Raska ...that is EXCELLENT question, it really is. Im trying so hard to find an email where I know customer had a process how to make this work. If I can find it, I will be more than happy to share.

Re: Multiple IPsec VPN certificates

G_W_Albrecht — Tue, 13 Dec 2022 11:19:29 GMT

As the policy of each GW is separated, peer should be defined as externally managed GW - containing a Certificate Matching Criteria, as in Traditional Mode VPN long times ago...

Re: Multiple IPsec VPN certificates

Martin_Raska — Tue, 13 Dec 2022 12:33:24 GMT

Peers are Interoperable devices and the Certificate matching criteria is for the peer to present the right certificate. Here we need to tell our GW to send the right one if you have more than one imported.

Re: Multiple IPsec VPN certificates

the_rock — Tue, 13 Dec 2022 13:51:39 GMT

You would not happen to have screenshot of that config, would you? However, if you do, would you mind share? Please blur out any sensitive info.

Re: Multiple IPsec VPN certificates

Martin_Raska — Wed, 14 Dec 2022 07:46:02 GMT

I am also trying to gather full VPN debug from the customer. GW is sending only the fw-pha CM certificate in IKE.elg

Re: Multiple IPsec VPN certificates

Martin_Raska — Wed, 14 Dec 2022 11:12:17 GMT

Reviewing debugs and we can see - Unrecognized CA, getCertToSend: looking for default cert to send, I am going to verify with the customer.

Re: Multiple IPsec VPN certificates

Martin_Raska — Mon, 09 Jan 2023 09:25:34 GMT

adding info: We have TAC ticket. The support says that GW should send all certificates for Auth., but this is not happening. There are three certs, two from public CA and one from internal CA. GW is always sending one certificate and the wrong one.

Re: Multiple IPsec VPN certificates

PhoneBoy — Mon, 09 Jan 2023 18:53:32 GMT

TAC is correct: that's what should happen (all certs are sent).
The fact it's not suggests a bug, which will require investigation by R&D with TAC's assistance.