topic Re: Quantum Spark 1570 Appliance R81.10.10 & Strongswan in Spark Firewall (SMB)

Quantum Spark 1570 Appliance R81.10.10 & Strongswan

actwon — Tue, 03 Sep 2024 13:31:04 GMT

Hello All,

As the title states I have an 1570 appliance that is locally managed. I am transitioning from MacOS to ParrotOS Linux. I have am having issues getting Strongswan configured for VPN. When you use Endpoint, the server sends the fingerprint from the VPN certificate installed onto the server for you to confirm. I do not receive that on Strongswan. I have attached an image of the configuration dialog. How do I fill this out? I am using EAP (Username/Password) in the client section.

I was able to export the internal device certificate, but it has both the internal certificate and the VPN certificate. I am unable to export the installed vpn certificate only (this is on the 1570). Any help is appreciated. I been trying to figure this out for several days now.

Re: Quantum Spark 1570 Appliance R81.10.10 & Strongswan

PhoneBoy — Thu, 05 Sep 2024 16:17:09 GMT

How did you perform the export exactly?
My guess is that the export contains both the VPN certificate and the Internal CA key.
The Internal CA key would be necessary for Strongswan to validate the VPN certificate.

The only mention I can find in the SMB-specific documentation is for Site-to-Site VPN.
I imagine the client configuration is similar to what it is on non-SMB devices: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/strongSwan-Client-Support.htm#strongSwan_Client_Configuration

Re: Quantum Spark 1570 Appliance R81.10.10 & Strongswan

actwon — Sat, 07 Sep 2024 20:41:45 GMT

Hi Phoneboy, thank you for responding. I went to VPN ->Certificates -> Internal Certificates then clicked export. I saw that guide and it didn't work fro me. I only saw the site-to-site option. Is there a way I can export the VPN certificate only?

Re: Quantum Spark 1570 Appliance R81.10.10 & Strongswan

PhoneBoy — Mon, 09 Sep 2024 19:16:12 GMT

How precisely did you verify it is actually exporting both certificates?
Because from that screen, it should only export the Internal CA certificate.
And when I dump the certificate I received from my own device...it's only the ICA (as expected):

However, I was able to find where the VPN certificate is on the appliance: $FWDIR/conf/my_vpn_cert.crt.

If you can manage to get all this working, please share what you did.

Re: Quantum Spark 1570 Appliance R81.10.10 & Strongswan

actwon — Wed, 18 Sep 2024 15:04:15 GMT

@PhoneBoythank you. I went to the location and grabbed the certificate. I tried to put it into swan, but it hasn't worked yet. Question though, when endpoint vpn connects to the server and returns the fingerprint for you to approve is there a way you can step me through how that communication/request works? If I can figure out that process I will be able to know where I should install the certificate. I believe stronswan is getting stuck on that part of verification.

Re: Quantum Spark 1570 Appliance R81.10.10 & Strongswan

PhoneBoy — Wed, 18 Sep 2024 17:47:19 GMT

Believe it occurs during the IKE negotiation when the certificate is presented as part of establishing the tunnel.