This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
actwon
Explorer
‎2024-09-03 06:31 AM

Quantum Spark 1570 Appliance R81.10.10 & Strongswan

Hello All,

As the title states I have an 1570 appliance that is locally managed. I am transitioning from MacOS to ParrotOS Linux. I have am having issues getting Strongswan configured for VPN. When you use Endpoint, the server sends the fingerprint from the VPN certificate installed onto the server for you to confirm. I do not receive that on Strongswan. I have attached an image of the configuration dialog. How do I fill this out? I am using EAP (Username/Password) in the client section.

I was able to export the internal device certificate, but it has both the internal certificate and the VPN certificate. I am unable to export the installed vpn certificate only (this is on the 1570). Any help is appreciated. I been trying to figure this out for several days now.

Preview file
26 KB
Preview file
59 KB
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
a month ago

How did you perform the export exactly?
My guess is that the export contains both the VPN certificate and the Internal CA key.
The Internal CA key would be necessary for Strongswan to validate the VPN certificate. 

The only mention I can find in the SMB-specific documentation is for Site-to-Site VPN.
I imagine the client configuration is similar to what it is on non-SMB devices: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

 

0 Kudos
actwon
Explorer
a month ago
In response to PhoneBoy

Hi Phoneboy, thank you for responding. I went to VPN ->Certificates -> Internal Certificates then clicked export. I saw that guide and it didn't work fro me. I only saw the site-to-site option. Is there a way I can export the VPN certificate only?

0 Kudos
PhoneBoy
Admin
Admin
4 weeks ago
In response to actwon

How precisely did you verify it is actually exporting both certificates?
Because from that screen, it should only export the Internal CA certificate.
And when I dump the certificate I received from my own device...it's only the ICA (as expected):

image.png

However, I was able to find where the VPN certificate is on the appliance: $FWDIR/conf/my_vpn_cert.crt.

If you can manage to get all this working, please share what you did.

0 Kudos
actwon
Explorer
2 weeks ago
In response to PhoneBoy

@PhoneBoythank you. I went to the location and grabbed the certificate. I tried to put it into swan, but it hasn't worked yet. Question though, when endpoint vpn connects to the server and returns the fingerprint for you to approve is there a way you can step me through how that communication/request works? If I can figure out that process I will be able to know where I should install the certificate. I believe stronswan is getting stuck on that part of verification.

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to actwon

Believe it occurs during the IKE negotiation when the certificate is presented as part of establishing the tunnel.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events