This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Leader Leader
Leader
yesterday

Clarification on sk108600 - VPN with 3rd parties

We have a VPN where the remote party expects a PSK and an FQDN.

 

We never had to do this before so we'd be grateful for experience feedback from those who have.

 

I've checked sk108600  VPN Site-to-Site with 3rd Party and would like some clarification:

- On VSX, do we need to edit the CPProfile files under the specific VS? I would assume yes but it's not explicitly mentioned

- Renewing the IPSEC Certificate and adding the FQDN as SAN will not matter in the case of PSK

- There is a procedure to export the values directly to system variables but it doesn't enforce the change, so a reboot is mandatory to make them active

 

Thanks for any insights.

 

EDIT: Point 2 is actually covered in the notes of the SK.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
yesterday

I assume you would do this at the VS level, yes.
Because these environment variables affect multiple processes, it requires a restart of the gateway/VS, which cpstop/cpstart should do when in the relevant VS context.

Alex-
Leader Leader
Leader
yesterday
In response to PhoneBoy

It seems to work. We can see the FQDN being added in the IKEv2 negotiation when debugging VPN.

<Payloads>
			<Payload Type="IDi" Next="Auth" Length="26" Critical="No">
				<Type>FQDN</Type>
				<Data>MyFQDN</Data>
			</Payload>
			<Payload Type="Auth" Next="Notify" Length="72" Critical="No">
				<Method>Shared Secret</Method>

We will test with the relevant partner asking for this feature.

the_rock
Legend
Legend
yesterday

I meant to reply this morning, but got tied up with something else, but Phoneboy gave the right method. Its definitely on VS level. I had client who had this issue and thats what TAC ended up suggesting as well.

Andy

JozkoMrkvicka
Authority
Authority
yesterday

Out of curiosity, what is vendor of 3rd party peer ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Alex-
Leader Leader
Leader
yesterday
In response to JozkoMrkvicka

@JozkoMrkvicka Fortinet, configuring PSK + FQDN per VPN tunnel.

As I understand it, on Check Point this is a global parameter.

0 Kudos
JozkoMrkvicka
Authority
Authority
yesterday
In response to Alex-

I recently configured IKEv2 VPN between VS and FortiGate, but it went very smooth without any problem/additional modifications. Maybe it is some specific setting done for specific Fortinet product in your case ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Alex-
Leader Leader
Leader
yesterday
In response to JozkoMrkvicka

Yes, they actively require the FQDN on top of the PSK.

I would have preferred a certificate-based approach if we are verifying FQDN and the likes so we just exchange CA and don't edit system files, but we're not making the rules for that connection.

One more thing to check after each jumbo/version upgrade.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events