Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_3
Contributor

Remote VPN Machine Authentication

Hello,

I am currently implementing remote VPN with machine authentication for our company and our customers and partners.

I configured VPN for ourself, an IT provider, and one of our customers. Each has its own VPN gateway.

For the VPN authentication we use Active Directory. Provider and customer have their own AD, completely seperated.

For the machine certificates we used seperate sub CAs but both are using the same root CA.

I also got a user in our customers AD domain since I am one of the firewall admins and we have to do basic login tests after implementing changes which will affect remote VPN. We also use a seperate test client for that which is connected to our customers AD.

Now the issue is, that that my companys client (which is not part of the customers AD) is also able to login to the customers VPN gateway even though my machine name is not registered in the customers AD. So the machine authentication should fail.

There is no machine identity in the logs and it also shows the different AD name but the login is still successful.

My guess is, that this is possible because both are using the same root CA.

I tried to use the branch filter in the root CA settings in SmartConsole but I could not figure out the correct syntax and there seems to be no configuration examples online.

Did anyone use this filter already and got it to work? Or is there another solution for this issue?

We are using R81.20 on firewalls and the client version is E88.30 and E88.70 (Windows and MacOS clients).

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

Are all the gateways managed by the same management or different ones?

0 Kudos
Daniel_3
Contributor

They are managed by separate management servers.

0 Kudos
PhoneBoy
Admin
Admin

I assume in each management server, the external CA is imported.
It looks like this is where you would specify the relevant DN for that organization's certificates.
I assume each organization (with a different SubCA) has a unique DN for its certificates.
Could be wrong about that, as this is not a configuration I've seen before.


image.png

0 Kudos
Daniel_3
Contributor

Yes, that is the exact setting I played around with. But I was not able to figure out the syntax to filter out the machines which are not part of the corresponding domain. Login was either still possible for all clients or for none.

0 Kudos
PhoneBoy
Admin
Admin

Have you reviewed the certificates issued by the various sites to see their complete DN?
What should be in this field is a partial DN, and it should be unique to the site in question. 

0 Kudos
Daniel_3
Contributor

I already tried the following:

CN=domain.net

CN=IntermediateCA

CN=IssuingCA

For the two CAs I tried both, the partial DN and the full DN.

But I keep getting the error "Name constraints checking failed." on the client.

0 Kudos
PhoneBoy
Admin
Admin

Have you tried using ldapsearch on the CLI?
Perhaps that will provide a bit more visibility into what’s going on (and possibly finding the correct syntax).

0 Kudos
Daniel_3
Contributor

But is this branch filter about LDAP branches? My understanding is that the root CA does not have visibility of LDAP branches.

0 Kudos
PhoneBoy
Admin
Admin

The CA does not, correct, but the certificates themselves have an LDAP path associated with them.

0 Kudos
Daniel_3
Contributor

I tried several variations of the LDAP paths now, but still no luck.

0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, the only suggestion I can offer here is to open a TAC case: https://help.checkpoint.com 

0 Kudos
Daniel_3
Contributor

Ok, yes I have a TAC case open now. Thanks for you efforts to help!
I will update this thread when I found a solution.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events