- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- How Certificate base Remote Access VPN exchange Ce...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How Certificate base Remote Access VPN exchange Certificate and Exchange keys ????
Hello Everyone,
Recently, I have deployed Remote Access VPN with "Endpoint Security Client" - Windows. It is working fine as it should be by following the Remote Access VPN User guide and with TAC's help.
The deployment model is "Personal Certificate" and Username Password".
1 - First Certificate get Authenticated and then
2 - AD Username and Password.
But I still don't understand how PKI is working with my Internal MS CA, Checkpoint Gateway and Endpoint Security Client where it looks into CAPI Storage.
Please anyone could give insight between Certificate handling of HOW and WHERE key get installed?
In the log, I could see that Key Install and Cookies been Created.
How can I verify that I'm using the correct certificate that I exclusively created for this purpose from Internal MS CA and then imported into Checkpoint Gateway? I used "cpopenssl" utility to create initial .csr and my_key.key
Regards,
B
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume whatever LDAP profile you've created would also refer to that CA for authentication (though I don't remember offhand).
The client certificate has an identifier for the user itself.
Assuming the certificate presented by the client is for the correct user and is valid per the CA, that part of the authentication should succeed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @PhoneBoy .
Where Checkpoint Gateway keeps the trusted Certificate. Is there any list that I could see?
I would like to see my Internal CA's Certificate on the Gateway. I'm using VSX cluster with Management Server.
Moreover, a detailed description or any Checkpoint document of Certificate Trust Process where it shows the process of key exchange and key install would help the community.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I said, it's in the relevant Gateway (or VS) object.
You should see it listed here:
In my case, I only have the Internal CA.
If there are other CAs the gateway is configured to trust for VPN purposes, they should be listed here.
Also, there would be an object listed under Servers > Trusted CAs that would contain the CA Public Key.
In terms of validating certificates, we follow the various standards set forth in the RFCs for IPsec and IKE.
It's also shown visually in the product documentation: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SitetoSiteVPN_AdminGuide/Con... and IKE|_____0#IPsec_and_IKE
The "key install" message in the logs should show up once the DH-key has been generated.