This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Raska
Advisor
Advisor
‎2022-12-12 07:49 AM

Multiple IPsec VPN certificates

Hello,

do we support Multiple VPN certificates per GW? I mean GW should use different External VPN certificate per VPN community tunnel?

 

The partner manages one firewall of two different entities(customers), and each entity has its own CA which signs the VPN certificate used for IPSec VPN tunnel. There are two communities and two different VPN certificates.

Example:

Community A - use my.firewall.com signed by ICA-1

Community B - use my.firewall.com signed by ICA-2

Both certificates are imported in GW object under IPsec VPN tab, but when establishing VPN tunnels, GW is always sending the first certificate signed by ICA-1 no matter what tunnel is it.

0 Kudos
14 Replies
_Val_
Admin
Admin
‎2022-12-12 07:57 AM

I would rather advise defining your own CA as trusted with either partner and using your existing GW VPN cert. 

0 Kudos
Martin_Raska
Advisor
Advisor
‎2022-12-12 08:46 AM
In response to _Val_

So its not supported?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-12 03:35 PM
In response to Martin_Raska

Im fairly positive its supported, seen people have it that way and it works. Will see if I can find the process to make that work.

_Val_
Admin
Admin
‎2022-12-13 12:05 AM
In response to Martin_Raska

It is supported, but you must add a trusted CA for each certificate, which is unnecessary admin overhead.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-12 03:15 PM

Have you imported the public key for the other CA into a newly created OPSEC CA object?
Have you configured that CA as one of the trusted certificate authorities for that gateway?

Martin_Raska
Advisor
Advisor
‎2022-12-13 02:39 AM
In response to PhoneBoy

I dont have access there but from the screenshot, I can see its done. The customer's CAs are imported as trusted.

The customer is already using it in this configuration - Community A - my.firewall.com signed by ICA-1 and its working.

They want to add this configuration - Community B - my.firewall.com signed by ICA-2

But in IKE negotiation for tunnel Community B, FW is sending only my.firewall.com signed by ICA-1 not the second one or all of them.

The question here is how can you tell GW which certificate should use it for each VPN tunnel? I am not aware of such configuration.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-13 03:11 AM
In response to Martin_Raska

Hey @Martin_Raska ...that is EXCELLENT question, it really is. Im trying so hard to find an email where I know customer had a process how to make this work. If I can find it, I will be more than happy to share. 

G_W_Albrecht
MVP Silver
MVP Silver
‎2022-12-13 03:19 AM
In response to Martin_Raska

As the policy of each GW is separated, peer should be defined as externally managed GW - containing a Certificate Matching Criteria, as in Traditional Mode VPN long times ago...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martin_Raska
Advisor
Advisor
‎2022-12-13 04:33 AM
In response to G_W_Albrecht

Peers are Interoperable devices and the Certificate matching criteria is for the peer to present the right certificate. Here we need to tell our GW to send the right one if you have more than one imported.

 

the_rock
MVP Gold
MVP Gold
‎2022-12-13 05:51 AM
In response to Martin_Raska

You would not happen to have screenshot of that config, would you? However, if you do, would you mind share? Please blur out any sensitive info.

0 Kudos
Martin_Raska
Advisor
Advisor
‎2022-12-13 11:46 PM
In response to the_rock

I am also trying to gather full VPN debug from the customer. GW is sending only the fw-pha CM certificate in IKE.elg

 

Screenshot_1.jpg

Martin_Raska
Advisor
Advisor
‎2022-12-14 03:12 AM
In response to Martin_Raska

Reviewing debugs and we can see - Unrecognized CA, getCertToSend: looking for default cert to send, I am going to verify with the customer.

0 Kudos
Martin_Raska
Advisor
Advisor
‎2023-01-09 01:25 AM
In response to Martin_Raska

adding info: We have TAC ticket. The support says that GW should send all certificates for Auth., but this is not happening. There are three certs, two from public CA and one from internal CA. GW is always sending one certificate and the wrong one.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-09 10:53 AM
In response to Martin_Raska

TAC is correct: that's what should happen (all certs are sent).
The fact it's not suggests a bug, which will require investigation by R&D with TAC's assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events