Create a Post
Showing results for 
Search instead for 
Did you mean: 

VPN between Checkpoint and Mikrotik based on certificates

Greetings friends!

I'm still new to the Checkpoint community. We just started integrating Checkpoint solution in our company. I have a question about VPN tunnels S2S.

We have three offices (A, B, C). In each of the offices there is Internet and external static IPs. In offices A and B we use the Checkpoint Appliance 3100 with Gaia R80.10, and in office C we use Kerio Control gateway. VPN Site-2-Site are established between the three gateways (A, B, C) and this works "more or less", but this is not the case now.

We have several small offices (D, E, F) (for example, warehouses and very small offices of 2-5 employees). These offices have an external dynamic IP address (DAIP). It’s expensive to buy Checkpoint solutions for these offices, but VPN is needed there.

We decided to install other gateways in these offices - Mikrotik. And now we are trying to establish VPN between office B and D.
As far as I know, if the remote gateway has an external dynamic IP address (DAIP), then VPN tunnel can only be established on the basis of certificates (Pre-shared secret does not work in this case).

I found article on how to do this HowTo Set Up Certificate Based VPNs with Check Point Appliances  

But this article describes how to do this if both gateways are Checkpoint.

Using the information from this article and the "trial and error" method and a lot of a lot of Google, we almost managed to do it.

In the IPSec settings for checkpoint, you need to specify for the second side (Mikrotik) only which certification authority issued the certificate and string with DN.

However, in Mikrotik, to establish VPN tunnel, you need to specify both certificates, Mikrotik and remote gateway (Checkpoint). But I don’t understand how I can do export certificate from the Checkpoint gateway so that we can transfer it to Mikrotik.

Can you tell me how to do this? Or maybe we chose the wrong path?

Thanks in advance for your help.

P.S. Sorry for my english.

0 Kudos
4 Replies

To export the Internal CA (needed for a remote server to trust the VPN certificates), in Object Explorer, go to Servers > Trusted CA > Internal CA and open the object.
Under the Local Security Management Server tab, hit the Save As button.

Your management server may need to be reachable by the remote site in order to do CRL checking.

Greetings all,

are you success connect mikrotik and checkpoint with DAIP address?

Can you provide tutorial or picture for IPSEC on mikrotik.

Best Regards,



0 Kudos

You can find this in Site to Site VPN R80.40 Administration Guide p.43ff - Configuring a VPN with External Security
Gateways Using Certificates.

0 Kudos

@G_W_Albrecht Thanks for this, I will try make connection this week.

@sir_impactor  when you see post let me know if you succeeded with mikrotik, and provide some details for configuration on mikrotik side.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events