Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VPN certificates

Hello CheckMates,

Does anyone know how to control which certificate gets sent in a certificate-based site-to-site VPN?
There's a nice repository of certificates available on the gateway, but it always seems to send the ICA signed certificate. We only want to use the ICA certificate for CP<->CP VPN's that are managed by the same management. We also have some third-party DAIP gateways we want to use another PKI infrastructure for (that already has CRL publicly available, unlike the CP ICA).

Any ideas how to accomplish this? Browsing the documentation and SK's for half a day didn't seem to reveal a solution.

Kind regards,

Nik

0 Kudos
24 Replies
Highlighted
Pearl

This can be configured in the gateway object > IPsec Site-to-Site VPN. There you can choose which certificate from the cert repository it has to use.

HowTo Set Up Certificate Based VPNs with Check Point Appliances

0 Kudos
Highlighted

I still don't quite understand how. I found that post yesterday and I know you can configure what CA the certificate of the other side has to belong to (with the Matching Critera on the Interoperable Device) but I don't understand how to control the certificate that is sent from Check Point to the third party DAIP gateway. The post shows how to do it with an Externally Managed CP gateway, but the GW we're dealing with on the other end is not Check Point.
0 Kudos
Highlighted
Pearl

Setting up the ICA Management Tool

Best Practices - ICA Management Tool configuration

Expired certificates cannot be deleted from the Management Database

Basically you can just run "cpca_client  set_mgmt_tool on  -no_ssl" in expert mode of your SmartCenter, connect to the ICA Management Tool via http://SmartCenter-IP:18265/ and configure your certificates and turn off the Management Tool via "cpca_client  set_mgmt_tool off" afterwards.

0 Kudos
Highlighted

I don't see how the ICA Management Tool is going to help me. It's for downloading or revoking the ICA issued certificates.

I have 2 certificates available in the IPSEC VPN pane of the Check Point gateway:
1. the default Check Point ICA issued certificate
2. a certificate signed by our internal PKI infrastructure CA

What I need to know if how to configure Check Point to send the non-ICA certificate (2) to a third party VPN peer instead of the internal ICA one (1).
0 Kudos
Highlighted
Admin
Admin

For these third party DAIP gateways, are they part of the same VPN community or a different one?
0 Kudos
Highlighted
Ivory

On Management Server using object Explorer you can create under Servers - Trusted CA an object that defines a external CA, you will need the Root CA Certificate ... Once done you can use Digital Certificates issued by that external CA for the VPNs that you need.

Simply add the Certificate under Gateway - IPSec VPN properties page !!

I did myself a couple of times using Comodo issued Certificates !!!

 

Warm regards

0 Kudos
Highlighted

As mentioned, I have the trusted CA certificate available under IPSec VPN tab along with the ICA certificate, it just doesn't send it to peers, it only sends the ICA certificate.
0 Kudos
Highlighted
Admin
Admin

why not using preshared key, if your remote GWs are a third party?

0 Kudos
Highlighted

Because they're DAIP. Check Point doesn't allow PSK for DAIP peers.
0 Kudos
Highlighted
Sapphire

So i would suggest to use the CP internal CAs certificates - for S2S VPN this has no drawbacks...

0 Kudos
Highlighted

But we have a PKI infrastructure for which the CRL is publically available. This is not the case with CP PKI. It should be possible to use a different PKI infrastructure. It is also managed by different people than the CP ICA infrastructure. So there is a drawback.
0 Kudos

They are part of the same community since they are trusted locations. They just don't have Check Point gateways at those locations (yet).
0 Kudos
Highlighted
Ivory

Nik ...

I did it to stablish a Certificate authentication based Site to Site VPN with a Cisco appliance.

Did you delete the ICA Certificate on the IPSec VPN properties ??

 

Regards

0 Kudos
Highlighted

@Malopro: indeed, I want to use the ICA certificate for the CP-CP centrally managed VPN's. Besides, what's the point of having a certificate repository if you can only actually use one certificate... Deleting the other certificate should not be the solution.
0 Kudos
Highlighted
Ivory

Uff ... forget my previous post ... you have CheckPoint and no-Checkpoint on the same community ...

 

Regards

0 Kudos
Highlighted
Admin
Admin

For the peers in question, do you have them configured to require presenting a certificate signed by a specific CA?
You would have to import and configure an OPSEC CA object.
This is described in the "Trusting an Externally Managed CA" section of the R80.30 Site-to-Site VPN guide: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...

Then you go into the external object and configure the matching criteria, as shown here:

Screen Shot 2019-12-13 at 11.17.16 AM.png

0 Kudos
Highlighted

Yes, I have the Matching Criteria enabled and that part works. The Check Point accepts the PKI signed certificate from the third party peer gateway properly (I have a one-way IKE Main mode), that's not the problem. The problem is that Check Point sends the ICA certificate to the third party, which is not trusted obviously and the negotiation fails. On the third party gateway I can easily configure what certificate to send to a peer, but on Check Point this seems either impossible or needlessly obscure, while they force you to use certs for authentication.
0 Kudos
Highlighted
Admin
Admin

Specifically, we force the use of certificates for DAIP gateways in particular as Pre-Shared Keys are not entirely secure in this configuration.
Trying to confirm with R&D if it's possible to use different certificates.
0 Kudos
Highlighted

Thank you. It would be really odd if it wasn't possible. What's the point of having a certificate repository for IPSec then... Also, it's something that's easily possible on even 10 year old ScreenOS devices. I can just select what certificate to use for a peer gateway from a simple dropdown.
0 Kudos
Highlighted
Admin
Admin

What R&D tells me is that it should not be necessary to configure which certificate our gateway sends.
The gateway should send the correct certificate automatically based on the IKE negotiation, which includes what CA(s) are considered valid for a given gateway.
This, of course, assumes the CA is trusted (i.e. configured as an OPSEC CA) and the gateway has a certificate issued by that CA.
That suggests a TAC ticket might be in order.

0 Kudos
Highlighted

Thanks for the information. It's good to know how it's supposed to work, though I find it very odd that as the admin I can't decide what cert gets sent, but CP does it on it's own. The CA should be correctly trusted (since the Check Point side accepts the certificate sent by the peer no problem, I get a Main Mode complete for that), but the other side doesn't accept the certificate obviously since it receives the default cert instead of the cert signed by the same CA. I will see about contacting TAC. We might just go with a slightly different setup because of the way Check Point handles this.

0 Kudos
Highlighted
Admin
Admin

@Nik_Bloemers IKE phase one completion usually means both sides trust their certificates. 

You also can add externally issued certificates for your managed GWs.

 

Screenshot 2019-12-18 at 09.24.34.png

 

 

0 Kudos
Highlighted

The peer clearly rejects the certificate, it's visible in the logging of that device (and it shows which certificate it has received). Why the CP side says Main Mode completion I don't know. I guess the CP side built an IKE SA successfully, since it has received a valid certificate.
Not sure what you mean by your second remark/screenshot. As stated a few times the externally issued certificate was added to the repository successfully, it's just not being sent the peer (only the default ICA signed one is).
0 Kudos
Highlighted
Admin
Admin

Which, again, suggests a TAC case might be in order.
0 Kudos