topic Re: How Certificate base Remote Access VPN exchange Certificate and Exchange keys ???? in SASE and Remote Access

How Certificate base Remote Access VPN exchange Certificate and Exchange keys ????

BeaconBits — Tue, 07 Apr 2020 14:56:58 GMT

Hello Everyone,

Recently, I have deployed Remote Access VPN with "Endpoint Security Client" - Windows. It is working fine as it should be by following the Remote Access VPN User guide and with TAC's help.

https://sc1.checkpoint.com/documents/R80.10_andhigher/WebAdminGuides/EN/CP_RemoteAccessVPN_AdminGuide/html_frameset.htm

The deployment model is "Personal Certificate" and Username Password".

1 - First Certificate get Authenticated and then

2 - AD Username and Password.

But I still don't understand how PKI is working with my Internal MS CA, Checkpoint Gateway and Endpoint Security Client where it looks into CAPI Storage.

Please anyone could give insight between Certificate handling of HOW and WHERE key get installed?

In the log, I could see that Key Install and Cookies been Created.

How can I verify that I'm using the correct certificate that I exclusively created for this purpose from Internal MS CA and then imported into Checkpoint Gateway? I used "cpopenssl" utility to create initial .csr and my_key.key

Regards,

Re: How Certificate base Remote Access VPN exchange Certificate and Exchange keys ????

PhoneBoy — Wed, 08 Apr 2020 00:38:47 GMT

For the gateway to trust certificates signed by anything other than the Internal CA, that CA has to be added to the gateway object as part of the IPSEC VPN configuration.
I assume whatever LDAP profile you've created would also refer to that CA for authentication (though I don't remember offhand).
The client certificate has an identifier for the user itself.
Assuming the certificate presented by the client is for the correct user and is valid per the CA, that part of the authentication should succeed.

Re: How Certificate base Remote Access VPN exchange Certificate and Exchange keys ????

BeaconBits — Wed, 08 Apr 2020 01:00:59 GMT

Thanks @PhoneBoy .

Where Checkpoint Gateway keeps the trusted Certificate. Is there any list that I could see?

I would like to see my Internal CA's Certificate on the Gateway. I'm using VSX cluster with Management Server.

Moreover, a detailed description or any Checkpoint document of Certificate Trust Process where it shows the process of key exchange and key install would help the community.

Thanks!

Re: How Certificate base Remote Access VPN exchange Certificate and Exchange keys ????

PhoneBoy — Wed, 08 Apr 2020 03:14:36 GMT

As I said, it's in the relevant Gateway (or VS) object.
You should see it listed here:

In my case, I only have the Internal CA.
If there are other CAs the gateway is configured to trust for VPN purposes, they should be listed here.
Also, there would be an object listed under Servers > Trusted CAs that would contain the CA Public Key.

In terms of validating certificates, we follow the various standards set forth in the RFCs for IPsec and IKE.
It's also shown visually in the product documentation: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/IPsec-and-IKE.htm?tocpath=IPsec and IKE|_____0#IPsec_and_IKE
The "key install" message in the logs should show up once the DH-key has been generated.