Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gavin_core
Explorer

VPN community mixed certificate and PSK

Hi,

I have a site to site VPN Between Open Server R80.40 (managed) and a 1430 R77.20 device (unmanaged but under my control).

The 1430 is the satellite connection in a star community. It uses a dynamic IP address configuration so the VPN is built using certificates. It is working fine.

I need to set up a VPN connection to an Interoperable device (Fortinet) that is externally managed and can only use a PSK.

The problem is that I need the Center Gateway (R8.40) to effectively be in a star community with the 1430 and the Fortinet so that they can route traffic to each other. However if I add the Fortinet to the existing star and add the PSK, it breaks the 1430 connection. If I apply the PSK but then untick the box to use shared key on external emmbers, it fails for the fortinet. So it seems you can't use both authentication methods in one community?

I am thinking my only option is to rebuild the 1430 as a managed device, then add the fortinet in the star with a PSK.

Is there another method as the 1430 only needs to run for a few months so would rather not go through rebuilding it?

Could I create another community for the fortinet (I tried this and followed advice for routing with custome encryption domains or changing the route file but didn't work)?

Thanks for any advice you could offer.

0 Kudos
5 Replies
the_rock
Legend
Legend

I think you are right, you definitely cannot use 2 auth methods in the same community. You could create separate VPN community with Fortigate device, but my question is, when you did this, what exactly did not work?

Andy

0 Kudos
gavin_core
Explorer

Thanks for the confirmation of the auth methods. 

I can successfully have two star communities Centre->1430 and Centre->Fortigate, which work fine. But I cannot get traffic between the Fortigate and the 1430, which is the overall aim. 

I tried editing the vpn_route.conf file according to articles, but it didn't work. I think because the Fortigate is interoperable and the 1430 is unmanaged? So it can't get that update?

I tried using specific encryption domains on the communities so that the Centre shows the satellite subnets on it's encryption domain. But that didn't work either for me. 

0 Kudos
the_rock
Legend
Legend

K, understood. Can you please indicate sk you followed, example you did and subnets needing to communicate?

Cheers,

Andy

0 Kudos
gavin_core
Explorer

I was following information found on this community really.

For the vpn_route.conf file I used the link below. But I think it seemed spliton it working for interoperable or un managed because you can't say a gateway to install it on?

https://community.checkpoint.com/t5/Security-Gateways/Routing-between-VPNs/td-p/90408

I have the specific encryption domain solution working on another two separate communities, however they are all managed checkpoints in that configuration. I used the two links below to get the info on how to do it.

https://community.checkpoint.com/t5/Security-Gateways/multiple-domain-per-vpn-community/td-p/115353

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/MicroCont...

 

I have the subnets below.

Centre - 10.1.0.0/16

1430 - 10.121.0.0/16 and 192.168.100.0/24

Fortinet - 10.131.0.0/16 and 10.132.0.0/16

So for the encryption domins I defined in the communities

----Fortinet Community----

Centre - 10.1.0.0/16, 10.121.0.0/16 and 192.168.100.0/24

Fortinet - 10.131.0.0/16 and 10.132.0.0/16

 

--------1430 Community--------------

Centre - 10.1.0.0/16, 10.131.0.0/16 and 10.132.0.0/16

1430 - 10.121.0.0/16 and 1092.168.100.0/24

 I hope that makes sense.

 

 

 

0 Kudos
the_rock
Legend
Legend

I think thats same example as below:

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...

By the way, Im little confused about your last section for enc. domains. It appears you gave 3 subnets to enc domain of the center gateway, though 2 of them belong to 1430?? I really think the best way for me to verify all this is to do remote session, if you are allowed to. If so, I got time till 11 am est. Be free to message me offline.

Cheers.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events