This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nik_Bloemers
Collaborator
‎2019-12-10 10:55 PM

VPN certificates

Hello CheckMates,

Does anyone know how to control which certificate gets sent in a certificate-based site-to-site VPN?
There's a nice repository of certificates available on the gateway, but it always seems to send the ICA signed certificate. We only want to use the ICA certificate for CP<->CP VPN's that are managed by the same management. We also have some third-party DAIP gateways we want to use another PKI infrastructure for (that already has CRL publicly available, unlike the CP ICA).

Any ideas how to accomplish this? Browsing the documentation and SK's for half a day didn't seem to reveal a solution.

Kind regards,

Nik

34 Replies
Danny
Champion
Champion
‎2019-12-10 11:36 PM

This can be configured in the gateway object > IPsec Site-to-Site VPN. There you can choose which certificate from the cert repository it has to use.

HowTo Set Up Certificate Based VPNs with Check Point Appliances

0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-10 11:47 PM
In response to Danny

I still don't quite understand how. I found that post yesterday and I know you can configure what CA the certificate of the other side has to belong to (with the Matching Critera on the Interoperable Device) but I don't understand how to control the certificate that is sent from Check Point to the third party DAIP gateway. The post shows how to do it with an Externally Managed CP gateway, but the GW we're dealing with on the other end is not Check Point.
Danny
Champion
Champion
‎2019-12-11 12:08 AM
In response to Nik_Bloemers

Setting up the ICA Management Tool

Best Practices - ICA Management Tool configuration

Expired certificates cannot be deleted from the Management Database

Basically you can just run "cpca_client  set_mgmt_tool on  -no_ssl" in expert mode of your SmartCenter, connect to the ICA Management Tool via http://SmartCenter-IP:18265/ and configure your certificates and turn off the Management Tool via "cpca_client  set_mgmt_tool off" afterwards.

0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-11 01:31 AM
In response to Danny

I don't see how the ICA Management Tool is going to help me. It's for downloading or revoking the ICA issued certificates.

I have 2 certificates available in the IPSEC VPN pane of the Check Point gateway:
1. the default Check Point ICA issued certificate
2. a certificate signed by our internal PKI infrastructure CA

What I need to know if how to configure Check Point to send the non-ICA certificate (2) to a third party VPN peer instead of the internal ICA one (1).
PhoneBoy
Admin
Admin
‎2019-12-11 08:58 AM

For these third party DAIP gateways, are they part of the same VPN community or a different one?
Malopro
Participant
‎2019-12-11 11:18 AM
In response to PhoneBoy

On Management Server using object Explorer you can create under Servers - Trusted CA an object that defines a external CA, you will need the Root CA Certificate ... Once done you can use Digital Certificates issued by that external CA for the VPNs that you need.

Simply add the Certificate under Gateway - IPSec VPN properties page !!

I did myself a couple of times using Comodo issued Certificates !!!

 

Warm regards

Nik_Bloemers
Collaborator
‎2019-12-11 11:49 PM
In response to Malopro

As mentioned, I have the trusted CA certificate available under IPSec VPN tab along with the ICA certificate, it just doesn't send it to peers, it only sends the ICA certificate.
0 Kudos
_Val_
Admin
Admin
‎2019-12-13 12:45 AM

why not using preshared key, if your remote GWs are a third party?

0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-13 02:03 AM
In response to _Val_

Because they're DAIP. Check Point doesn't allow PSK for DAIP peers.
0 Kudos
G_W_Albrecht
Legend
Legend
‎2019-12-13 03:44 AM
In response to Nik_Bloemers

So i would suggest to use the CP internal CAs certificates - for S2S VPN this has no drawbacks...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-13 04:27 AM
In response to G_W_Albrecht

But we have a PKI infrastructure for which the CRL is publically available. This is not the case with CP PKI. It should be possible to use a different PKI infrastructure. It is also managed by different people than the CP ICA infrastructure. So there is a drawback.
0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-11 11:47 PM

They are part of the same community since they are trusted locations. They just don't have Check Point gateways at those locations (yet).
0 Kudos
Malopro
Participant
‎2019-12-12 03:13 AM
In response to Nik_Bloemers

Nik ...

I did it to stablish a Certificate authentication based Site to Site VPN with a Cisco appliance.

Did you delete the ICA Certificate on the IPSec VPN properties ??

 

Regards

0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-13 03:18 AM
In response to Malopro

@Malopro: indeed, I want to use the ICA certificate for the CP-CP centrally managed VPN's. Besides, what's the point of having a certificate repository if you can only actually use one certificate... Deleting the other certificate should not be the solution.
0 Kudos
Malopro
Participant
‎2019-12-12 07:55 AM
In response to Nik_Bloemers

Uff ... forget my previous post ... you have CheckPoint and no-Checkpoint on the same community ...

 

Regards

0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-13 11:22 AM
In response to Nik_Bloemers

For the peers in question, do you have them configured to require presenting a certificate signed by a specific CA?
You would have to import and configure an OPSEC CA object.
This is described in the "Trusting an Externally Managed CA" section of the R80.30 Site-to-Site VPN guide: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...

Then you go into the external object and configure the matching criteria, as shown here:

Screen Shot 2019-12-13 at 11.17.16 AM.png

0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-15 11:30 PM
In response to PhoneBoy

Yes, I have the Matching Criteria enabled and that part works. The Check Point accepts the PKI signed certificate from the third party peer gateway properly (I have a one-way IKE Main mode), that's not the problem. The problem is that Check Point sends the ICA certificate to the third party, which is not trusted obviously and the negotiation fails. On the third party gateway I can easily configure what certificate to send to a peer, but on Check Point this seems either impossible or needlessly obscure, while they force you to use certs for authentication.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-16 08:31 AM
In response to Nik_Bloemers

Specifically, we force the use of certificates for DAIP gateways in particular as Pre-Shared Keys are not entirely secure in this configuration.
Trying to confirm with R&D if it's possible to use different certificates.
0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-17 04:59 AM
In response to PhoneBoy

Thank you. It would be really odd if it wasn't possible. What's the point of having a certificate repository for IPSec then... Also, it's something that's easily possible on even 10 year old ScreenOS devices. I can just select what certificate to use for a peer gateway from a simple dropdown.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-17 08:54 AM
In response to Nik_Bloemers

What R&D tells me is that it should not be necessary to configure which certificate our gateway sends.
The gateway should send the correct certificate automatically based on the IKE negotiation, which includes what CA(s) are considered valid for a given gateway.
This, of course, assumes the CA is trusted (i.e. configured as an OPSEC CA) and the gateway has a certificate issued by that CA.
That suggests a TAC ticket might be in order.

0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-17 11:35 PM
In response to PhoneBoy

Thanks for the information. It's good to know how it's supposed to work, though I find it very odd that as the admin I can't decide what cert gets sent, but CP does it on it's own. The CA should be correctly trusted (since the Check Point side accepts the certificate sent by the peer no problem, I get a Main Mode complete for that), but the other side doesn't accept the certificate obviously since it receives the default cert instead of the cert signed by the same CA. I will see about contacting TAC. We might just go with a slightly different setup because of the way Check Point handles this.

0 Kudos
_Val_
Admin
Admin
‎2019-12-18 12:25 AM
In response to Nik_Bloemers

@Nik_Bloemers IKE phase one completion usually means both sides trust their certificates. 

You also can add externally issued certificates for your managed GWs.

 

Screenshot 2019-12-18 at 09.24.34.png

 

 

0 Kudos
Nik_Bloemers
Collaborator
‎2019-12-18 04:21 AM
In response to _Val_

The peer clearly rejects the certificate, it's visible in the logging of that device (and it shows which certificate it has received). Why the CP side says Main Mode completion I don't know. I guess the CP side built an IKE SA successfully, since it has received a valid certificate.
Not sure what you mean by your second remark/screenshot. As stated a few times the externally issued certificate was added to the repository successfully, it's just not being sent the peer (only the default ICA signed one is).
PhoneBoy
Admin
Admin
‎2019-12-18 09:48 AM
In response to Nik_Bloemers

Which, again, suggests a TAC case might be in order.
0 Kudos
wpronk
Explorer
‎2020-08-26 03:14 AM
In response to PhoneBoy

Good afternoon,

We want just the same as described above, is there a solution or hotfix available for this problem?

Kind regards,

Wesley Pronk

0 Kudos
nedomskiy
Explorer
‎2020-09-04 08:49 AM

We've got the same issue on R80.20. Only ICA certificate is sent toward interoperable device.
Is there a solution to fix this behavior?

Regards,
Ivan

0 Kudos
nedomskiy
Explorer
‎2020-09-04 08:59 AM

We've got the same problem.
Is there a solution to fix this behavior?

Regards,
Ivan

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-04 03:46 PM
In response to nedomskiy

As suggested elsewhere in this thread, best to open a TAC case.

0 Kudos
spottex
Contributor
‎2021-03-23 12:18 PM

Hi All,

Did anyone get a resolution for this?

It would be good to know as our issue is even more retarded.

We have the ICA plus 3 PKI certs from different root CA's. 
We updated the cert at the bottom of the list that was expiring

 In the previous packet within a debug we see the third party requesting a cert from the correct root CA.

Passing the ICA and the first PKI cert the Check Point sends the cert from a different CA (from the request), that is directly above the new cert. 

 

Just interested while I call TAC.

0 Kudos