Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sir_impactor
Explorer

VPN between Checkpoint and Mikrotik based on certificates


Greetings friends!

I'm still new to the Checkpoint community. We just started integrating Checkpoint solution in our company. I have a question about VPN tunnels S2S.

We have three offices (A, B, C). In each of the offices there is Internet and external static IPs. In offices A and B we use the Checkpoint Appliance 3100 with Gaia R80.10, and in office C we use Kerio Control gateway. VPN Site-2-Site are established between the three gateways (A, B, C) and this works "more or less", but this is not the case now.

We have several small offices (D, E, F) (for example, warehouses and very small offices of 2-5 employees). These offices have an external dynamic IP address (DAIP). It’s expensive to buy Checkpoint solutions for these offices, but VPN is needed there.

We decided to install other gateways in these offices - Mikrotik. And now we are trying to establish VPN between office B and D.
As far as I know, if the remote gateway has an external dynamic IP address (DAIP), then VPN tunnel can only be established on the basis of certificates (Pre-shared secret does not work in this case).

I found article on how to do this HowTo Set Up Certificate Based VPNs with Check Point Appliances  

But this article describes how to do this if both gateways are Checkpoint.

Using the information from this article and the "trial and error" method and a lot of a lot of Google, we almost managed to do it.

In the IPSec settings for checkpoint, you need to specify for the second side (Mikrotik) only which certification authority issued the certificate and string with DN.

However, in Mikrotik, to establish VPN tunnel, you need to specify both certificates, Mikrotik and remote gateway (Checkpoint). But I don’t understand how I can do export certificate from the Checkpoint gateway so that we can transfer it to Mikrotik.

Can you tell me how to do this? Or maybe we chose the wrong path?

Thanks in advance for your help.

P.S. Sorry for my english.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

To export the Internal CA (needed for a remote server to trust the VPN certificates), in Object Explorer, go to Servers > Trusted CA > Internal CA and open the object.
Under the Local Security Management Server tab, hit the Save As button.

Your management server may need to be reachable by the remote site in order to do CRL checking.
Rade_Bebek
Participant

Greetings all,

are you success connect mikrotik and checkpoint with DAIP address?

Can you provide tutorial or picture for IPSEC on mikrotik.

Best Regards,

Rade

 

0 Kudos
G_W_Albrecht
Legend
Legend

You can find this in Site to Site VPN R80.40 Administration Guide p.43ff - Configuring a VPN with External Security
Gateways Using Certificates.

0 Kudos
Rade_Bebek
Participant

@G_W_Albrecht Thanks for this, I will try make connection this week.

@sir_impactor  when you see post let me know if you succeeded with mikrotik, and provide some details for configuration on mikrotik side.

0 Kudos