Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex-
Leader Leader
Leader

Clarification on sk108600 - VPN with 3rd parties

We have a VPN where the remote party expects a PSK and an FQDN.

 

We never had to do this before so we'd be grateful for experience feedback from those who have.

 

I've checked sk108600  VPN Site-to-Site with 3rd Party and would like some clarification:

- On VSX, do we need to edit the CPProfile files under the specific VS? I would assume yes but it's not explicitly mentioned

- Renewing the IPSEC Certificate and adding the FQDN as SAN will not matter in the case of PSK

- There is a procedure to export the values directly to system variables but it doesn't enforce the change, so a reboot is mandatory to make them active

 

Thanks for any insights.

 

EDIT: Point 2 is actually covered in the notes of the SK.

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

I assume you would do this at the VS level, yes.
Because these environment variables affect multiple processes, it requires a restart of the gateway/VS, which cpstop/cpstart should do when in the relevant VS context.

Alex-
Leader Leader
Leader

It seems to work. We can see the FQDN being added in the IKEv2 negotiation when debugging VPN.

<Payloads>
			<Payload Type="IDi" Next="Auth" Length="26" Critical="No">
				<Type>FQDN</Type>
				<Data>MyFQDN</Data>
			</Payload>
			<Payload Type="Auth" Next="Notify" Length="72" Critical="No">
				<Method>Shared Secret</Method>

We will test with the relevant partner asking for this feature.

PhoneBoy
Admin
Admin

Sounds promising, keep us posted 😉

0 Kudos
Alex-
Leader Leader
Leader

It worked, the IKEv2 negotiation completed successfully with validation of the FQDN along the PSK.

Worth noting this is global parameter on Check Point as far as we can see so not scalable, maybe R82 will change that.

0 Kudos
the_rock
Legend
Legend

I meant to reply this morning, but got tied up with something else, but Phoneboy gave the right method. Its definitely on VS level. I had client who had this issue and thats what TAC ended up suggesting as well.

Andy

JozkoMrkvicka
Authority
Authority

Out of curiosity, what is vendor of 3rd party peer ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Alex-
Leader Leader
Leader

@JozkoMrkvicka Fortinet, configuring PSK + FQDN per VPN tunnel.

As I understand it, on Check Point this is a global parameter.

JozkoMrkvicka
Authority
Authority

I recently configured IKEv2 VPN between VS and FortiGate, but it went very smooth without any problem/additional modifications. Maybe it is some specific setting done for specific Fortinet product in your case ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Alex-
Leader Leader
Leader

Yes, they actively require the FQDN on top of the PSK.

I would have preferred a certificate-based approach if we are verifying FQDN and the likes so we just exchange CA and don't edit system files, but we're not making the rules for that connection.

One more thing to check after each jumbo/version upgrade.

the_rock
Legend
Legend

I have fully licensed Fortigate in the lab running 7.6.0 (latest version), so if you need anything tested, let me know.

Andy

0 Kudos
Alex-
Leader Leader
Leader

Nice offer. 😀

Basically it's the option 2 of the SK, editing $CPDIR/tmp/$CPprofile.sh and CPprofile.csh with the mentioned information, reboot, then make an IKEv2 tunnel with PSK to the Fortinet. In the VPN debug, the Fortinet should see the FQDN in the IKE negotiation.

0 Kudos
the_rock
Legend
Legend

I lied when I said fully licensed...well, its partially true, but only for another week lol

Anyway, let me know if anything is needed, not an issue.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events