Re: Using Certificate Authentication for S2S VPN i...

Elmoki · ‎2024-08-08

Hi Everyone,

Scenario:
I have a banking client, they have standalone setup (Sec GW+ Sec MGMT, 6400). They have 4 S2S VPN using certificate for authentication and signed by BCS.
They want to add a new device (6400) to form Full HA Cluster (I followed sk104699) and will keep the old firewall IP as the clustered IP.

Queries:
1. Will there be a problem with S2S VPN after forming Full HA cluster?
2. Is the existing certificate will still be valid after creation of the cluster?
3. If #2 is not valid anymore do I need to generate individual cert for each device or 1 only?

Hoping for response and guidance.

Thanks in Advance!

Lesley · ‎2024-08-08

Have you already added the new gateway as firewall object to SmartConsole?

If so, maybe just try to create a new cluster object. In this object add the current firewall and new one.

Then see what will happen in the VPN section if you see a new certificate or the current one you use.

Then make sure to cancel all changes and do not publish. Also make snapshot of mgmt to be sure.

-------
Please press "Accept as Solution" if my post solved it 🙂

Elmoki · ‎2024-08-13

Hi Lesley,

Appreciate your response.

This is a banking client. Our procedural steps must be accurate

I'm planning to take out the backup and replicate from the lab and will try your advise.

Regards,

G_W_Albrecht · ‎2024-08-13

I personally would not go for Full Management HA as this is a not a good setup ! If possible, use SMS in VM and a 6400 GW HA cluster.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

AkosBakos · ‎2024-08-08

Hi @Elmoki

The S2S settings are stored in the Policy Package (PSK etc.:) so if you don't change the policy there were no issues.
The new GW will have a new certificate
The certificate generation happens automatically, and the issuer is the Internal CA

This is my basic findings, but why do you want to cretate a new certificate? You will (want) sign in with the Bank's PKI?

A short advise:

When you create the the new cluster object, compare the object settings with the simple cluster settings (eg.: Connection Persistence). This step could avoid of a lot of inconvience. 🙂

Akos

----------------
\m/_(>_<)_\m/

Elmoki · ‎2024-08-13

Hi AkosBakos,

Thanks for your response.

Certificate has to be signed by BCS,

Since the new GW will have a new certificate then it should be signed by BCS? Otherwise when failover is triggered VPN connection will not work?

Best Regards,

AkosBakos · ‎2024-08-13

Hi @Elmoki

Cluster members must be the same. However when we talk about 3rd party VPN cert this is Policy related as I know.
Under: Cluster Object -> IPSec VPN -> Repository of Cert.........

After a failver, you can check the cert easily with openssl

#openssl s_client -connect google.com:443

Overall, I think you should sign by the new GW's cert by BCS, because the GAIA portal will use that (new) certificate

Akos

----------------
\m/_(>_<)_\m/

PhoneBoy · ‎2024-08-13

When you do full HA (or even just Management HA), the nodes share the Internal CA.
Which means this should work.

However, I would advise against Full HA, opting for Smart-1 Cloud or a separate on-premise management (either an appliance or VM).

Are you a member of CheckMates?

Using Certificate Authentication for S2S VPN in Full HA standalone setup