Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bSingh
Participant
Jump to solution

Significance of Gateway Certificate when we have Pre-shared Keys based S2S VPNS

Hello Team, 

If someone can help me understanding the Certificate significance in case we are not using it for S2S VPN:--

 

Issue: S2S VPNs between Checkpoint gateways weren't working; identified expired certificates. Renewing them resolved the problem.  We renewed the certificate on both the gateways. Its a Mesh Topology and in Hub and Spoke deployment. Only Checkpoint gateways are affected. Other Spokes are working fine in the community which are not the checkpoint gateways. 

Queries:

  1. In Pre-shared key VPN deployment (Meshed/Star topology), is a certificate necessary? If yes why ? what is the significance of this certificate ?
  2. Are the renewed certificates signed by the CMA ?
  3. The current certificate is renewed for a year. Is there a provision for extending the renewal period or adjusting the expiration date?
  4. Can you share the SNMP traps so that we can actively monitor it.
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

Some answers:

  1. The default VPN authentication for S2S VPN is certificate-based. Pre-Shared is considered less secure and is only supported for cases when your VPN peer belongs to another security domain.
  2. GW VPN certificates, like all other internal certificates, are signed by your domain CA
  3. The default expiration period for VPN certificates is one year for all supported versions. You can extend it to three years, see sk176527.
  4. AFAIK, there are no SNMP traps for certificates. However, there are multiple other means to follow up and check the validity of GW VPN certificates. Look into sk104400, sk178304, sk102092, sk97792. In essence, you will have either SmartConsole warning, or you can run a CLI command to check.

View solution in original post

(1)
2 Replies
_Val_
Admin
Admin

Some answers:

  1. The default VPN authentication for S2S VPN is certificate-based. Pre-Shared is considered less secure and is only supported for cases when your VPN peer belongs to another security domain.
  2. GW VPN certificates, like all other internal certificates, are signed by your domain CA
  3. The default expiration period for VPN certificates is one year for all supported versions. You can extend it to three years, see sk176527.
  4. AFAIK, there are no SNMP traps for certificates. However, there are multiple other means to follow up and check the validity of GW VPN certificates. Look into sk104400, sk178304, sk102092, sk97792. In essence, you will have either SmartConsole warning, or you can run a CLI command to check.
(1)
bSingh
Participant

Thanks Val for sharing the information.. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events