Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Elmoki
Participant

Using Certificate Authentication for S2S VPN in Full HA standalone setup

Hi Everyone,

Scenario:
I have a banking client, they have standalone setup (Sec GW+ Sec MGMT, 6400). They have 4 S2S VPN using certificate for authentication and signed by BCS.
They want to add a new device (6400) to form Full HA Cluster (I followed sk104699) and will keep the old firewall IP as the clustered IP.

Queries:
1. Will there be a problem with S2S VPN after forming Full HA cluster?
2. Is the existing certificate will still be valid after creation of the cluster?
3. If #2 is not valid anymore do I need to generate individual cert for each device or 1 only?

Hoping for response and guidance.

Thanks in Advance!

0 Kudos
7 Replies
Lesley
Leader Leader
Leader

Have you already added the new gateway as firewall object to SmartConsole?

If so, maybe just try to create a new cluster object. In this object add the current firewall and new one.

Then see what will happen in the VPN section if you see a new certificate or the current one you use.

Then make sure to cancel all changes and do not publish. Also make snapshot of mgmt to be sure. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
Elmoki
Participant

Hi Lesley,

Appreciate your response. 

This is a banking client. Our procedural steps must be accurate

I'm planning to take out the backup and replicate from the lab and will try your advise.

Regards,

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I personally would not go for Full Management HA as this is a not a good setup ! If possible, use SMS in VM and a 6400 GW HA cluster.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
AkosBakos
Leader Leader
Leader

Hi @Elmoki 

  1. The S2S settings are stored in the Policy Package (PSK etc.:) so if you don't change the policy there were no issues.
  2. The new GW will have a new certificate
  3. The certificate generation happens automatically, and the issuer is the Internal CA

This is my basic findings, but why do you want to cretate a new certificate? You will (want) sign in with the Bank's PKI?

A short advise:

When you create the the new cluster object, compare the object settings with the simple cluster settings (eg.: Connection Persistence). This step could avoid of a lot of inconvience. 🙂

Akos

----------------
\m/_(>_<)_\m/
Elmoki
Participant

Hi AkosBakos,

Thanks for your response.

Certificate has to be signed by BCS,

Since the new GW will have a new certificate then it should be signed by BCS? Otherwise when failover is triggered VPN connection will not work? 

Best Regards,

0 Kudos
AkosBakos
Leader Leader
Leader

Hi @Elmoki 

Cluster members must be the same. However when we talk about 3rd party VPN cert this is Policy related as I know. 
Under: Cluster Object -> IPSec VPN -> Repository of Cert.........

2024-08-13 16_19_16-Cloud Demo Server [ID_340687372]-R81.20-SmartConsole.png

After a failver, you can check the cert easily with openssl

#openssl s_client -connect google.com:443

Overall, I think you should sign by the new GW's cert by BCS, because the GAIA portal will use that (new) certificate

 

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin

When you do full HA (or even just Management HA), the nodes share the Internal CA.
Which means this should work.

However, I would advise against Full HA, opting for Smart-1 Cloud or a separate on-premise management (either an appliance or VM).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events