Create a Post
Showing results for 
Search instead for 
Did you mean: 

How Certificate base Remote Access VPN exchange Certificate and Exchange keys ????

Hello Everyone,


Recently, I have deployed Remote Access VPN with "Endpoint Security Client" - Windows. It is working fine as it should be by following the Remote Access VPN User guide and with TAC's help.

The deployment model is "Personal Certificate" and Username Password".

1 - First Certificate get Authenticated and then

2 - AD Username and Password.


But I still don't understand how PKI is working with my Internal MS CA, Checkpoint Gateway and Endpoint Security Client where it looks into CAPI Storage.


Please anyone could give insight between Certificate handling of HOW and WHERE key get installed?

In the log, I could see that Key Install and Cookies been Created. 

How can I verify that I'm using the correct certificate that I exclusively created for this purpose from Internal MS CA and then imported into Checkpoint Gateway? I used "cpopenssl" utility to create initial .csr and my_key.key




3 Replies

For the gateway to trust certificates signed by anything other than the Internal CA, that CA has to be added to the gateway object as part of the IPSEC VPN configuration.
I assume whatever LDAP profile you've created would also refer to that CA for authentication (though I don't remember offhand).
The client certificate has an identifier for the user itself.
Assuming the certificate presented by the client is for the correct user and is valid per the CA, that part of the authentication should succeed.
0 Kudos

Thanks @PhoneBoy . 


Where Checkpoint Gateway keeps the trusted Certificate. Is there any list that I could see?

I would like to see my Internal CA's Certificate on the Gateway. I'm using VSX cluster with Management Server.


Moreover,  a detailed description or any Checkpoint document of Certificate Trust Process where it shows the process of key exchange and key install would help the community.



0 Kudos

As I said, it's in the relevant Gateway (or VS) object.
You should see it listed here:

Screen Shot 2020-04-07 at 7.54.02 PM.png

In my case, I only have the Internal CA.
If there are other CAs the gateway is configured to trust for VPN purposes, they should be listed here.
Also, there would be an object listed under Servers > Trusted CAs that would contain the CA Public Key. 

In terms of validating certificates, we follow the various standards set forth in the RFCs for IPsec and IKE.
It's also shown visually in the product documentation: and IKE|_____0#IPsec_and_IKE
The "key install" message in the logs should show up once the DH-key has been generated. 

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events