Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Miguel_Garcia
Contributor

VPN connection with a DAIP gateway

Hi everybody,

 I am currently working with a R80.10 CheckPoint. I need to stablish a VPN connection with a peer (no checkpoint device), so I have to configure my side to allow this connection.

The problem is that this external peer has a dynamic IP address (which can be obtained by its FQDN). I am not sure if I have to use certificates to authenticate the peer or not, but I issued one .p12 file with cpca_client tool. I created an "Interoperable device" and y configure matching criteria options to check with the certificate.

My question is: Is the certificate necessary to authenticate the peer against the R80.10? If it is correct, Am i doing it correctly?

Thanks beforehand,

Mike.

8 Replies
Neville_Kuo
Advisor

You may use preshare key in vpn community configuration for easier deployment.

0 Kudos
Miguel_Garcia
Contributor

Hi, thanks for your answer.

I would like to do that but CheckPoint does not allow using PSK in hosts with dynamic address. I can't close host dialog window without configure certificate matching criteria. When I do that, PSK is not available for dynamic IP host...

That is the reason why I think some certificate is necessary  to establish VPN connection against dynamic IP peers, but I am not sure about that.

Neville_Kuo
Advisor

Sorry, you're right, DAIP 3rd party device can't use preshare key to establish vpn:

S2S VPN between Check Point Security gateway and Cisco DAIP 

You may refer to SK94028, but it's only for check point devices.

Maybe try DDNS?

Miguel_Garcia
Contributor

Yes, I am using DDNS in "link options" inside interoperable device dialog. However, It seems that when ip changes, the VPN can't be established again. May be the certificate is needed to authenticate even if I use DDNS, one thing is the name resolution and other thing is the authentication..so it makes sense.

The link that you reported me is very usefull thanks, I need some oficial documentation about that.

PhoneBoy
Admin
Admin

As noted in the thread, if your VPN endpoint has a dynamic IP, you can only authenticate with certificates, not pre-shared secret.

Authenticating with a pre-shared secret when the remote IP is not known can be insecure, particularly if you choose a PSK that is weak or easy to crack.

A little more details here: Considerations about IPsec Pre-Shared Keys | Blog Webernetz.net  

0 Kudos
William_Gutierr
Participant

Hello Dameon Welch Abernathy

Maybe this is not part of this thread, but let me fly away from my imagination and ask you the following:

  • What if the endpoint DAIP is a Checkpoint Gateway? And more: what if this specific DAIP Checkpoint is managed by a remote office?
0 Kudos
_Val_
Admin
Admin

Hi William Gutierres‌, Dameon Welch Abernathy‌ is enjoing his time off this week.

To answer your questions:

            Q: What if the endpoint DAIP is a Checkpoint Gateway?

     A: No problem at all if the GW is centrally managed and is connected to the central GW. Just define it as a DIAP managed GW. Certificates are signed by the same CA, no problem, very standard configuration. SMS shoul be accessible from Internet on for standard Check POint network services.

      Q: what if this specific DAIP Checkpoint is managed by a remote office?

      A: I take it as it belongs to a different SMS in the remote office. In this case trust should be established between SMS CAs on each end. Both SMSs should also have CRL Distribution Point accessible from Internet, so each of the GWs on each side could validate a foreign certificate.

Rade_Bebek
Participant

Hello all,

@Miguel

I don't know what is your 3rd party? In my situation I must create vpn site to site with Mikrotik Device. I use DDNS but don't know how create certificate? Are use self signed certificate, or use services Global Sing or similar?

Location with Mikrotik is our remote location.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events