Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Raska
Advisor
Advisor

Multiple IPsec VPN certificates

Hello,

do we support Multiple VPN certificates per GW? I mean GW should use different External VPN certificate per VPN community tunnel?

 

The partner manages one firewall of two different entities(customers), and each entity has its own CA which signs the VPN certificate used for IPSec VPN tunnel. There are two communities and two different VPN certificates.

Example:

Community A - use my.firewall.com signed by ICA-1

Community B - use my.firewall.com signed by ICA-2

Both certificates are imported in GW object under IPsec VPN tab, but when establishing VPN tunnels, GW is always sending the first certificate signed by ICA-1 no matter what tunnel is it.

0 Kudos
14 Replies
_Val_
Admin
Admin

I would rather advise defining your own CA as trusted with either partner and using your existing GW VPN cert. 

0 Kudos
Martin_Raska
Advisor
Advisor

So its not supported?

0 Kudos
the_rock
Legend
Legend

Im fairly positive its supported, seen people have it that way and it works. Will see if I can find the process to make that work.

_Val_
Admin
Admin

It is supported, but you must add a trusted CA for each certificate, which is unnecessary admin overhead.

0 Kudos
PhoneBoy
Admin
Admin

Have you imported the public key for the other CA into a newly created OPSEC CA object?
Have you configured that CA as one of the trusted certificate authorities for that gateway?

Martin_Raska
Advisor
Advisor

I dont have access there but from the screenshot, I can see its done. The customer's CAs are imported as trusted.

The customer is already using it in this configuration - Community A - my.firewall.com signed by ICA-1 and its working.

They want to add this configuration - Community B - my.firewall.com signed by ICA-2

But in IKE negotiation for tunnel Community B, FW is sending only my.firewall.com signed by ICA-1 not the second one or all of them.

The question here is how can you tell GW which certificate should use it for each VPN tunnel? I am not aware of such configuration.

0 Kudos
the_rock
Legend
Legend

Hey @Martin_Raska ...that is EXCELLENT question, it really is. Im trying so hard to find an email where I know customer had a process how to make this work. If I can find it, I will be more than happy to share. 

G_W_Albrecht
Legend Legend
Legend

As the policy of each GW is separated, peer should be defined as externally managed GW - containing a Certificate Matching Criteria, as in Traditional Mode VPN long times ago...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martin_Raska
Advisor
Advisor

Peers are Interoperable devices and the Certificate matching criteria is for the peer to present the right certificate. Here we need to tell our GW to send the right one if you have more than one imported.

 

the_rock
Legend
Legend

You would not happen to have screenshot of that config, would you? However, if you do, would you mind share? Please blur out any sensitive info.

0 Kudos
Martin_Raska
Advisor
Advisor

I am also trying to gather full VPN debug from the customer. GW is sending only the fw-pha CM certificate in IKE.elg

 

Screenshot_1.jpg

Martin_Raska
Advisor
Advisor

Reviewing debugs and we can see - Unrecognized CA, getCertToSend: looking for default cert to send, I am going to verify with the customer.

0 Kudos
Martin_Raska
Advisor
Advisor

adding info: We have TAC ticket. The support says that GW should send all certificates for Auth., but this is not happening. There are three certs, two from public CA and one from internal CA. GW is always sending one certificate and the wrong one.

0 Kudos
PhoneBoy
Admin
Admin

TAC is correct: that's what should happen (all certs are sent).
The fact it's not suggests a bug, which will require investigation by R&D with TAC's assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events