Re: Multiple IPsec VPN certificates

Martin_Raska · ‎2022-12-12

Hello,

do we support Multiple VPN certificates per GW? I mean GW should use different External VPN certificate per VPN community tunnel?

The partner manages one firewall of two different entities(customers), and each entity has its own CA which signs the VPN certificate used for IPSec VPN tunnel. There are two communities and two different VPN certificates.

Example:

Community A - use my.firewall.com signed by ICA-1

Community B - use my.firewall.com signed by ICA-2

Both certificates are imported in GW object under IPsec VPN tab, but when establishing VPN tunnels, GW is always sending the first certificate signed by ICA-1 no matter what tunnel is it.

_Val_ · ‎2022-12-12

I would rather advise defining your own CA as trusted with either partner and using your existing GW VPN cert.

Martin_Raska · ‎2022-12-12

So its not supported?

the_rock · ‎2022-12-12

Im fairly positive its supported, seen people have it that way and it works. Will see if I can find the process to make that work.

_Val_ · ‎2022-12-13

It is supported, but you must add a trusted CA for each certificate, which is unnecessary admin overhead.

PhoneBoy · ‎2022-12-12

Have you imported the public key for the other CA into a newly created OPSEC CA object?
Have you configured that CA as one of the trusted certificate authorities for that gateway?

Martin_Raska · ‎2022-12-13

I dont have access there but from the screenshot, I can see its done. The customer's CAs are imported as trusted.

The customer is already using it in this configuration - Community A - my.firewall.com signed by ICA-1 and its working.

They want to add this configuration - Community B - my.firewall.com signed by ICA-2

But in IKE negotiation for tunnel Community B, FW is sending only my.firewall.com signed by ICA-1 not the second one or all of them.

The question here is how can you tell GW which certificate should use it for each VPN tunnel? I am not aware of such configuration.

the_rock · ‎2022-12-13

Hey @Martin_Raska ...that is EXCELLENT question, it really is. Im trying so hard to find an email where I know customer had a process how to make this work. If I can find it, I will be more than happy to share.

G_W_Albrecht · ‎2022-12-13

As the policy of each GW is separated, peer should be defined as externally managed GW - containing a Certificate Matching Criteria, as in Traditional Mode VPN long times ago...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Martin_Raska · ‎2022-12-13

Peers are Interoperable devices and the Certificate matching criteria is for the peer to present the right certificate. Here we need to tell our GW to send the right one if you have more than one imported.

the_rock · ‎2022-12-13

You would not happen to have screenshot of that config, would you? However, if you do, would you mind share? Please blur out any sensitive info.

Martin_Raska · ‎2022-12-13

I am also trying to gather full VPN debug from the customer. GW is sending only the fw-pha CM certificate in IKE.elg

Martin_Raska · ‎2022-12-14

Reviewing debugs and we can see - Unrecognized CA, getCertToSend: looking for default cert to send, I am going to verify with the customer.

Martin_Raska · ‎2023-01-09

adding info: We have TAC ticket. The support says that GW should send all certificates for Auth., but this is not happening. There are three certs, two from public CA and one from internal CA. GW is always sending one certificate and the wrong one.

PhoneBoy · ‎2023-01-09

TAC is correct: that's what should happen (all certs are sent).
The fact it's not suggests a bug, which will require investigation by R&D with TAC's assistance.

Are you a member of CheckMates?

Multiple IPsec VPN certificates