topic Re: VPN certificates in Firewall and Security Management

VPN certificates

Nik_Bloemers — Wed, 11 Dec 2019 06:55:00 GMT

Hello CheckMates,

Does anyone know how to control which certificate gets sent in a certificate-based site-to-site VPN?
There's a nice repository of certificates available on the gateway, but it always seems to send the ICA signed certificate. We only want to use the ICA certificate for CP<->CP VPN's that are managed by the same management. We also have some third-party DAIP gateways we want to use another PKI infrastructure for (that already has CRL publicly available, unlike the CP ICA).

Any ideas how to accomplish this? Browsing the documentation and SK's for half a day didn't seem to reveal a solution.

Kind regards,

Nik

Re: VPN certificates

Danny — Wed, 11 Dec 2019 07:38:25 GMT

This can be configured in the gateway object > IPsec Site-to-Site VPN. There you can choose which certificate from the cert repository it has to use.

HowTo Set Up Certificate Based VPNs with Check Point Appliances

Re: VPN certificates

Nik_Bloemers — Wed, 11 Dec 2019 07:47:58 GMT

I still don't quite understand how. I found that post yesterday and I know you can configure what CA the certificate of the other side has to belong to (with the Matching Critera on the Interoperable Device) but I don't understand how to control the certificate that is sent from Check Point to the third party DAIP gateway. The post shows how to do it with an Externally Managed CP gateway, but the GW we're dealing with on the other end is not Check Point.

Re: VPN certificates

Danny — Wed, 11 Dec 2019 08:08:38 GMT

Setting up the ICA Management Tool

Best Practices - ICA Management Tool configuration

Expired certificates cannot be deleted from the Management Database

Basically you can just run "cpca_client set_mgmt_tool on -no_ssl" in expert mode of your SmartCenter, connect to the ICA Management Tool via http://SmartCenter-IP:18265/ and configure your certificates and turn off the Management Tool via "cpca_client set_mgmt_tool off" afterwards.

Re: VPN certificates

Nik_Bloemers — Wed, 11 Dec 2019 09:31:55 GMT

I don't see how the ICA Management Tool is going to help me. It's for downloading or revoking the ICA issued certificates.

I have 2 certificates available in the IPSEC VPN pane of the Check Point gateway:
1. the default Check Point ICA issued certificate
2. a certificate signed by our internal PKI infrastructure CA

What I need to know if how to configure Check Point to send the non-ICA certificate (2) to a third party VPN peer instead of the internal ICA one (1).

Re: VPN certificates

PhoneBoy — Wed, 11 Dec 2019 16:58:24 GMT

For these third party DAIP gateways, are they part of the same VPN community or a different one?

Re: VPN certificates

Malopro — Wed, 11 Dec 2019 19:18:10 GMT

On Management Server using object Explorer you can create under Servers - Trusted CA an object that defines a external CA, you will need the Root CA Certificate ... Once done you can use Digital Certificates issued by that external CA for the VPNs that you need.

Simply add the Certificate under Gateway - IPSec VPN properties page !!

I did myself a couple of times using Comodo issued Certificates !!!

Warm regards

Re: VPN certificates

Nik_Bloemers — Thu, 12 Dec 2019 07:47:54 GMT

They are part of the same community since they are trusted locations. They just don't have Check Point gateways at those locations (yet).

Re: VPN certificates

Nik_Bloemers — Thu, 12 Dec 2019 07:49:12 GMT

As mentioned, I have the trusted CA certificate available under IPSec VPN tab along with the ICA certificate, it just doesn't send it to peers, it only sends the ICA certificate.

Re: VPN certificates

Malopro — Thu, 12 Dec 2019 11:13:06 GMT

Nik ...

I did it to stablish a Certificate authentication based Site to Site VPN with a Cisco appliance.

Did you delete the ICA Certificate on the IPSec VPN properties ??

Regards

Re: VPN certificates

Malopro — Thu, 12 Dec 2019 15:55:00 GMT

Uff ... forget my previous post ... you have CheckPoint and no-Checkpoint on the same community ...

Regards

Re: VPN certificates

_Val_ — Fri, 13 Dec 2019 08:45:14 GMT

why not using preshared key, if your remote GWs are a third party?

Re: VPN certificates

Nik_Bloemers — Fri, 13 Dec 2019 10:03:15 GMT

Because they're DAIP. Check Point doesn't allow PSK for DAIP peers.

Re: VPN certificates

Nik_Bloemers — Fri, 13 Dec 2019 11:18:11 GMT

@Malopro: indeed, I want to use the ICA certificate for the CP-CP centrally managed VPN's. Besides, what's the point of having a certificate repository if you can only actually use one certificate... Deleting the other certificate should not be the solution.

Re: VPN certificates

G_W_Albrecht — Fri, 13 Dec 2019 11:44:14 GMT

So i would suggest to use the CP internal CAs certificates - for S2S VPN this has no drawbacks...

Re: VPN certificates

Nik_Bloemers — Fri, 13 Dec 2019 12:27:34 GMT

But we have a PKI infrastructure for which the CRL is publically available. This is not the case with CP PKI. It should be possible to use a different PKI infrastructure. It is also managed by different people than the CP ICA infrastructure. So there is a drawback.

Re: VPN certificates

PhoneBoy — Fri, 13 Dec 2019 19:22:20 GMT

For the peers in question, do you have them configured to require presenting a certificate signed by a specific CA?
You would have to import and configure an OPSEC CA object.
This is described in the "Trusting an Externally Managed CA" section of the R80.30 Site-to-Site VPN guide: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/html_frameset.htm

Then you go into the external object and configure the matching criteria, as shown here:

Re: VPN certificates

Nik_Bloemers — Mon, 16 Dec 2019 07:30:52 GMT

Yes, I have the Matching Criteria enabled and that part works. The Check Point accepts the PKI signed certificate from the third party peer gateway properly (I have a one-way IKE Main mode), that's not the problem. The problem is that Check Point sends the ICA certificate to the third party, which is not trusted obviously and the negotiation fails. On the third party gateway I can easily configure what certificate to send to a peer, but on Check Point this seems either impossible or needlessly obscure, while they force you to use certs for authentication.

Re: VPN certificates

PhoneBoy — Mon, 16 Dec 2019 16:31:07 GMT

Specifically, we force the use of certificates for DAIP gateways in particular as Pre-Shared Keys are not entirely secure in this configuration.
Trying to confirm with R&D if it's possible to use different certificates.

Re: VPN certificates

Nik_Bloemers — Tue, 17 Dec 2019 12:59:50 GMT

Thank you. It would be really odd if it wasn't possible. What's the point of having a certificate repository for IPSec then... Also, it's something that's easily possible on even 10 year old ScreenOS devices. I can just select what certificate to use for a peer gateway from a simple dropdown.