Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

VPN between Checkpoint and Mikrotik based on certificates


Greetings friends!

I'm still new to the Checkpoint community. We just started integrating Checkpoint solution in our company. I have a question about VPN tunnels S2S.

We have three offices (A, B, C). In each of the offices there is Internet and external static IPs. In offices A and B we use the Checkpoint Appliance 3100 with Gaia R80.10, and in office C we use Kerio Control gateway. VPN Site-2-Site are established between the three gateways (A, B, C) and this works "more or less", but this is not the case now.

We have several small offices (D, E, F) (for example, warehouses and very small offices of 2-5 employees). These offices have an external dynamic IP address (DAIP). It’s expensive to buy Checkpoint solutions for these offices, but VPN is needed there.

We decided to install other gateways in these offices - Mikrotik. And now we are trying to establish VPN between office B and D.
As far as I know, if the remote gateway has an external dynamic IP address (DAIP), then VPN tunnel can only be established on the basis of certificates (Pre-shared secret does not work in this case).

I found article on how to do this HowTo Set Up Certificate Based VPNs with Check Point Appliances  

But this article describes how to do this if both gateways are Checkpoint.

Using the information from this article and the "trial and error" method and a lot of a lot of Google, we almost managed to do it.

In the IPSec settings for checkpoint, you need to specify for the second side (Mikrotik) only which certification authority issued the certificate and string with DN.

However, in Mikrotik, to establish VPN tunnel, you need to specify both certificates, Mikrotik and remote gateway (Checkpoint). But I don’t understand how I can do export certificate from the Checkpoint gateway so that we can transfer it to Mikrotik.

Can you tell me how to do this? Or maybe we chose the wrong path?

Thanks in advance for your help.

P.S. Sorry for my english.

0 Kudos
1 Reply
Highlighted
Admin
Admin

To export the Internal CA (needed for a remote server to trust the VPN certificates), in Object Explorer, go to Servers > Trusted CA > Internal CA and open the object.
Under the Local Security Management Server tab, hit the Save As button.

Your management server may need to be reachable by the remote site in order to do CRL checking.