This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sir_impactor
Explorer
‎2019-10-15 01:22 PM

VPN between Checkpoint and Mikrotik based on certificates


Greetings friends!

I'm still new to the Checkpoint community. We just started integrating Checkpoint solution in our company. I have a question about VPN tunnels S2S.

We have three offices (A, B, C). In each of the offices there is Internet and external static IPs. In offices A and B we use the Checkpoint Appliance 3100 with Gaia R80.10, and in office C we use Kerio Control gateway. VPN Site-2-Site are established between the three gateways (A, B, C) and this works "more or less", but this is not the case now.

We have several small offices (D, E, F) (for example, warehouses and very small offices of 2-5 employees). These offices have an external dynamic IP address (DAIP). It’s expensive to buy Checkpoint solutions for these offices, but VPN is needed there.

We decided to install other gateways in these offices - Mikrotik. And now we are trying to establish VPN between office B and D.
As far as I know, if the remote gateway has an external dynamic IP address (DAIP), then VPN tunnel can only be established on the basis of certificates (Pre-shared secret does not work in this case).

I found article on how to do this HowTo Set Up Certificate Based VPNs with Check Point Appliances  

But this article describes how to do this if both gateways are Checkpoint.

Using the information from this article and the "trial and error" method and a lot of a lot of Google, we almost managed to do it.

In the IPSec settings for checkpoint, you need to specify for the second side (Mikrotik) only which certification authority issued the certificate and string with DN.

However, in Mikrotik, to establish VPN tunnel, you need to specify both certificates, Mikrotik and remote gateway (Checkpoint). But I don’t understand how I can do export certificate from the Checkpoint gateway so that we can transfer it to Mikrotik.

Can you tell me how to do this? Or maybe we chose the wrong path?

Thanks in advance for your help.

P.S. Sorry for my english.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-10-19 01:11 PM

To export the Internal CA (needed for a remote server to trust the VPN certificates), in Object Explorer, go to Servers > Trusted CA > Internal CA and open the object.
Under the Local Security Management Server tab, hit the Save As button.

Your management server may need to be reachable by the remote site in order to do CRL checking.
Rade_Bebek
Participant
‎2020-11-13 12:14 AM

Greetings all,

are you success connect mikrotik and checkpoint with DAIP address?

Can you provide tutorial or picture for IPSEC on mikrotik.

Best Regards,

Rade

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-11-13 06:28 AM
In response to Rade_Bebek

You can find this in Site to Site VPN R80.40 Administration Guide p.43ff - Configuring a VPN with External Security
Gateways Using Certificates.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Rade_Bebek
Participant
‎2020-11-13 10:45 AM
In response to G_W_Albrecht

@G_W_Albrecht Thanks for this, I will try make connection this week.

@sir_impactor  when you see post let me know if you succeeded with mikrotik, and provide some details for configuration on mikrotik side.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events