This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stephen_Ware
Participant
‎2020-08-19 02:47 AM

Certificate-based VPN with elliptical curve certificate

I have two site-to-site VPNs between a single R80.20 security gateway and a remote Palo Alto device. I control the Check Point gateway but the Palo Alto remote peer(s) belongs to a third party organisation. One VPN is for a Production environment and other is for a Test environment.

 The VPNs terminate on two different IPv4 addresses at the remote site and may be on a single device or on two separate devices. I do not know exactly how the remote end appliance is configured.

 The IPsec VPNs are currently secured using shared secrets but the peer organisation want to move to certificate-based authentication using elliptical curve 256-bit certificates (ECDSA-256 with SHA256 on P-256 curve)

I need to generate a suitable CSR from my security gateway so that the remote organisation can use it to generate a certificate that can be imported into my security gateway but the CSR I generated using cpopenssl commands at the gateway cli produced an RSA 256-bit one rather than an EC 256-bit one.

In R80.20 is it possible to generate elliptical curve 256-bit CSRs so that the remote organisation can generate a certificate which I can then import into my security gateway?

0 Kudos
5 Replies
G_W_Albrecht
Legend
Legend
‎2020-08-19 05:55 AM

Did you consult sk27054: Defining Advanced Diffie-Hellman Groups for IKE in Site-to-Site VPN yet?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Stephen_Ware
Participant
‎2020-08-19 08:38 AM
In response to G_W_Albrecht

I'm using DH group 19 which is enabled by default in R80.20 so the sk article doesn't apply in this scenario.

0 Kudos
Stephen_Ware
Participant
‎2020-08-26 08:57 AM
In response to G_W_Albrecht

sk149253: How to generate and install a third-party IPSec Certificate appears to be the correct approach but it means asking the third-party to send me their root certificate and any intermediate certificates (or the root certificate from their firewall/VPN device) so that I can install them on my Check Point security gateway then generate a CSR to send back to them for signing.

The third-party will probably refuse my request which I could completely understand and I wouldn't want to hand out my root certificate to a partner company either! But I'll give it a go.

0 Kudos
Stephen_Ware
Participant
‎2020-09-09 07:54 AM
In response to Stephen_Ware

The Site to Site VPN Administration Guides for both R80.20 and R80.30, in the Public Key Infrastructure section, state:

"A Security Gateway taking part in VPN tunnel establishment must have an RSA key pair and a certificate issued by a trusted CA."

I would take that to mean using an elliptical curve key pair is not a possibility. Given that EC is now preferred over RSA by many organisations it's a shortcoming in Check Point's features.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events