This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christian_Riede
Collaborator
‎2019-03-27 08:09 AM
Jump to solution

Activate PFS in a VPN community via API

Hello Checkpoint,

in the after Snowden aera,  we have learnt that perfect forward secrecy is one of the most important cryptographic features.

From the API documentation it is not clear how to activate PFS and how to select the PFS group when creating a VPN community or modifying an existing one.

Please Clarify: How can I activate PFS and select the PFS DH group via the API?

Thanks

Christian Riede

0 Kudos
2 Solutions

Accepted Solutions
Maik
Advisor
‎2019-03-27 08:24 AM
Jump to solution

Hey Christian,

 

The standard managment API (still) does not support the configuration that you need.

But @Kim_Moberg did a nice writeup regarding his solution via the generic objects API - see here.

 

Regards

View solution in original post

0 Kudos
Christian_Riede
Collaborator
‎2019-03-28 03:55 AM
Jump to solution

 

Summary:

find uid of community

mgmt_cli show vpn-community-star name "communityname"

find uid of dh group:

mgmt_cli show generic-objects class-name com.checkpoint.objects.classes.dummy."CpmiIkeDiffieHellmanParametersObject"

mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1EncAlg AES_MINUS_256
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1HashAlg SHA256
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1DhGrp 86ee63a3-cb9a-478e-add4-857aff8a7ab3
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1RekeyTime 1440
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EncAlg AES_MINUS_256
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2HashAlg SHA256
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2RekeyTime 3600
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2UsePfs true
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2PfsDhGrp 86ee63a3-cb9a-478e-add4-857aff8a7ab3
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EnableSupernetFromR8020 FALSE

 

View solution in original post

0 Kudos
3 Replies
Maik
Advisor
‎2019-03-27 08:24 AM
Jump to solution

Hey Christian,

 

The standard managment API (still) does not support the configuration that you need.

But @Kim_Moberg did a nice writeup regarding his solution via the generic objects API - see here.

 

Regards

0 Kudos
Christian_Riede
Collaborator
‎2019-03-28 03:15 AM
In response to Maik
Jump to solution

Summary:

Get Community uid with:

mgmt_cli show vpn-community-star name "communityname"

Get DH group UIDs with:

mgmt_cli show generic-objects class-name com.checkpoint.objects.classes.dummy."CpmiIkeDiffieHellmanParametersObject"

 

Then:

mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1EncAlg "AES_MINUS_256"
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1HashAlg "SHA256"
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1DhGrp "86ee63a3-cb9a-478e-add4-857aff8a7ab3"
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1RekeyTime "1440"
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EncAlg "AES_MINUS_256"
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2HashAlg "SHA256"
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2RekeyTime "3600"
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2UsePfs "true"
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2PfsDhGrp "86ee63a3-cb9a-478e-add4-857aff8a7ab3"
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EnableSupernetFromR8020 "FALSE"

0 Kudos
Christian_Riede
Collaborator
‎2019-03-28 03:55 AM
Jump to solution

 

Summary:

find uid of community

mgmt_cli show vpn-community-star name "communityname"

find uid of dh group:

mgmt_cli show generic-objects class-name com.checkpoint.objects.classes.dummy."CpmiIkeDiffieHellmanParametersObject"

mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1EncAlg AES_MINUS_256
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1HashAlg SHA256
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1DhGrp 86ee63a3-cb9a-478e-add4-857aff8a7ab3
mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1RekeyTime 1440
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EncAlg AES_MINUS_256
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2HashAlg SHA256
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2RekeyTime 3600
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2UsePfs true
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2PfsDhGrp 86ee63a3-cb9a-478e-add4-857aff8a7ab3
mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EnableSupernetFromR8020 FALSE

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events