This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marcyn
Collaborator
Collaborator
‎2022-10-03 03:03 AM

Site-2-Site VPN between Check Points SGs - using ICA, external CA, PSK

Hi CheckMates guys,

Last week I helped one of our Customers with Mgmt server migration from one DC to another DC.
Instead of using traditional approach using migrate_server tool we decided to just create HA Mgmt and make full sync between them.
Because in new DC Mgmt server should have different IP we had to regenerate licenses, tune some files a little bit (eg. HKTL_registry.data), and a little more.

In the end everything worked (more or less) as expected ... besides one Site-2-Site tunnel.
It was tunnel between two Check Point's clusters managed by this Mgmt server - so in this case using PKI.
Rest of tunnels were with 3rd parties using PSK, and they worked flawlessly.

We had some issues with logs (couldn't display them) and because of that I didn't see what was the error with this s2s tunnel.
Tcpdumps, vpn debugs also didn't help here.
In the end we solved this issue - problem was with CRL distribution point - SGs couldn't reach it.
It was configuration error - these SGs are using proxy server ... and we forgot to change IP after moving SMS from one DC to another. After correction everything was fine.

 

And ... after this maybe too long description ... I have couple of questions to you - maybe some of you faced the same issues and have solution:

1) as far as I know if we have in IPSec configuration internal certificate (signed by ICA) and other certificate (signed by external CA) - preferred one by SGs will be this external. However if we go to IPSec VPN > Traditional mode configuration > select Public Key Signatures > Specify ... we can see "The gateway can use any of its certificates".
So it means that it can be either this one from ICA or this external one.
If I would like to force this gateway to always use for example this signed by ICA I can select option "The gateway must use a certificate issued by this Certificate Authority" and choose internal_ca.
But it will mean that for all s2s tunnels using PKI it will be that certificate - always.
My question is - is there any way to select different certificates for different VPN Communities ?
I mean that if I will have for example two VPN Communities using PKIs for authentication (each with different SGs) I want that with SG1 they should authenticate with internal certificate, and with SG2 with this external one.

2) is there any way to disable CRL verification ? I mean that connection should be possible also when CRL distribution point couldn't be reached ?

3) Last question - is there really no option to have PSK authentication between locally managed gateways ?

--
Best
Marcin

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-10-03 03:07 AM

For your information:

sk100731: VPNs go down within 24 hours after primary Security Management server goes down

sk21156: Disabling CRL checking when authenticating with certificates

CCSM R77/R80/ELITE
0 Kudos
marcyn
Collaborator
Collaborator
‎2022-10-03 03:18 AM
In response to Chris_Atkinson

Hi Chris,

Thank you for turbo fast reply regarding CRL.

I already know first SK you mentioned - but this is not my case, since we only had HA Mgmt for migration, and after that we don't have HA Mgmt. So there is only one Mgmt Server at the moment.
Problem was with this external certificate and it's CRL DP - because of wrong proxy configuration.

Regarding 2nd SK ... ok - I was looking at this object (Trusted CA) but didn't thought that by simply unchecking "HTTP Server(s)" will just disable this verification ... eh, silly me.

So it looks like 2nd question is answered.

--
Best
Marcin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events