Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
actwon
Explorer

Quantum Spark 1570 Appliance R81.10.10 & Strongswan

Hello All,

As the title states I have an 1570 appliance that is locally managed. I am transitioning from MacOS to ParrotOS Linux. I have am having issues getting Strongswan configured for VPN. When you use Endpoint, the server sends the fingerprint from the VPN certificate installed onto the server for you to confirm. I do not receive that on Strongswan. I have attached an image of the configuration dialog. How do I fill this out? I am using EAP (Username/Password) in the client section.

I was able to export the internal device certificate, but it has both the internal certificate and the VPN certificate. I am unable to export the installed vpn certificate only (this is on the 1570). Any help is appreciated. I been trying to figure this out for several days now.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

How did you perform the export exactly?
My guess is that the export contains both the VPN certificate and the Internal CA key.
The Internal CA key would be necessary for Strongswan to validate the VPN certificate. 

The only mention I can find in the SMB-specific documentation is for Site-to-Site VPN.
I imagine the client configuration is similar to what it is on non-SMB devices: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

 

0 Kudos
actwon
Explorer

Hi Phoneboy, thank you for responding. I went to VPN ->Certificates -> Internal Certificates then clicked export. I saw that guide and it didn't work fro me. I only saw the site-to-site option. Is there a way I can export the VPN certificate only?

0 Kudos
PhoneBoy
Admin
Admin

How precisely did you verify it is actually exporting both certificates?
Because from that screen, it should only export the Internal CA certificate.
And when I dump the certificate I received from my own device...it's only the ICA (as expected):

image.png

However, I was able to find where the VPN certificate is on the appliance: $FWDIR/conf/my_vpn_cert.crt.

If you can manage to get all this working, please share what you did.

0 Kudos
actwon
Explorer

@PhoneBoythank you. I went to the location and grabbed the certificate. I tried to put it into swan, but it hasn't worked yet. Question though, when endpoint vpn connects to the server and returns the fingerprint for you to approve is there a way you can step me through how that communication/request works? If I can figure out that process I will be able to know where I should install the certificate. I believe stronswan is getting stuck on that part of verification.

0 Kudos
PhoneBoy
Admin
Admin

Believe it occurs during the IKE negotiation when the certificate is presented as part of establishing the tunnel.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events