topic Re: Certificate-based VPN with elliptical curve certificate in General Topics

Certificate-based VPN with elliptical curve certificate

SteveW — Wed, 19 Aug 2020 09:47:36 GMT

I have two site-to-site VPNs between a single R80.20 security gateway and a remote Palo Alto device. I control the Check Point gateway but the Palo Alto remote peer(s) belongs to a third party organisation. One VPN is for a Production environment and other is for a Test environment.

The VPNs terminate on two different IPv4 addresses at the remote site and may be on a single device or on two separate devices. I do not know exactly how the remote end appliance is configured.

The IPsec VPNs are currently secured using shared secrets but the peer organisation want to move to certificate-based authentication using elliptical curve 256-bit certificates (ECDSA-256 with SHA256 on P-256 curve)

I need to generate a suitable CSR from my security gateway so that the remote organisation can use it to generate a certificate that can be imported into my security gateway but the CSR I generated using cpopenssl commands at the gateway cli produced an RSA 256-bit one rather than an EC 256-bit one.

In R80.20 is it possible to generate elliptical curve 256-bit CSRs so that the remote organisation can generate a certificate which I can then import into my security gateway?

Re: Certificate-based VPN with elliptical curve certificate

G_W_Albrecht — Wed, 19 Aug 2020 12:55:14 GMT

Did you consult sk27054: Defining Advanced Diffie-Hellman Groups for IKE in Site-to-Site VPN yet?

Re: Certificate-based VPN with elliptical curve certificate

SteveW — Wed, 19 Aug 2020 15:38:52 GMT

I'm using DH group 19 which is enabled by default in R80.20 so the sk article doesn't apply in this scenario.

Re: Certificate-based VPN with elliptical curve certificate

G_W_Albrecht — Thu, 20 Aug 2020 08:13:02 GMT

sk149253: How to generate and install a third-party IPSec Certificate

sk44961: Generating a 2048-bit CSR for Security Gateway

sk95064: How to create a self-signed certificate for the Gaia WebUI

sk69660: How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to Mobile Access Blade

Re: Certificate-based VPN with elliptical curve certificate

SteveW — Wed, 26 Aug 2020 15:57:56 GMT

sk149253: How to generate and install a third-party IPSec Certificate appears to be the correct approach but it means asking the third-party to send me their root certificate and any intermediate certificates (or the root certificate from their firewall/VPN device) so that I can install them on my Check Point security gateway then generate a CSR to send back to them for signing.

The third-party will probably refuse my request which I could completely understand and I wouldn't want to hand out my root certificate to a partner company either! But I'll give it a go.

Re: Certificate-based VPN with elliptical curve certificate

SteveW — Wed, 09 Sep 2020 14:54:51 GMT

The Site to Site VPN Administration Guides for both R80.20 and R80.30, in the Public Key Infrastructure section, state:

"A Security Gateway taking part in VPN tunnel establishment must have an RSA key pair and a certificate issued by a trusted CA."

I would take that to mean using an elliptical curve key pair is not a possibility. Given that EC is now preferred over RSA by many organisations it's a shortcoming in Check Point's features.