Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Dennis_M
Participant
Participant

HowTo Set Up Certificate Based VPNs with Check Point Appliances – R80.x edition

I am sure that the majority of CheckMates users sometime already stumbled upon the article "HowTo Set Up Certificate Based VPNs with Check Point Appliances - R77 edition" written by  @Danny . He is our instructor and CTO at ESC and has been working with Check Point Firewalls for almost two decades. 

With the new R80.x release an update to his great VPN article was needed. Here we go:

Preface

Securing virtual private networks (VPNs) in enterprise Site-to-Site environments is an important task for keeping the trusted network and data protected. Also it's critical to avoid any loss of data sovereignty.

When it comes to VPN security many security experts first think of encryption algorithms, perfect forward secrecy (PFS), Diffie-Hellman groups... and a long pre-shared key (PSK).

What about VPN certificates?

Every security expert knows how much better certificates are for gaining high security levels. Therefore certificates are always best practice in enterprise grade security environments.

However, most VPN Site-to-Site setups are still based on simple, long lasting pre-shared keys. In many cases these keys were even forgotten by the administrators in charge of keeping the network secure because once configured for the VPN tunnel they are not needed anymore.

This is because it's much quicker and really easy to set up a VPN with a simple pre-shared key than having to deal with certificates and a certificate authority (CA).

But the comfort of choosing PSKs over certificates does not only minimize your security level it also makes you vulnerable to potential attacks and is not as safe as you might expect. Even if you pick a long PSK! This is because tools like 'ike-scan' (also comes preinstalled with Kali Linux), pks-crack etc. make it really easy to crack your PSK. It's just a matter of time. ℹ️

As a rule of thumb: VPN certificates significantly increase VPN security!

So let's get started!

When working with VPN tunnels between Check Point gateways there is absolutely no reason not to use VPN certificates. 

image.png

We used the following setup : 

Gateway : Check Point Firewall & VPN

Management : Check Point SmartCenter (R80.40)

Remote Office : Check Point 1550 Appliance

(it is important to notice that the 1500 SMB appliances can only be centrally managed with R80.30 Jumbo Take_76  or R80.40 as mentioned in sk157412 and sk163296)

Centrally managed

Check Point is well-known for its superior security management solution to which all Check Point gateways are connected. This central management approach makes it remarkably easy to deploy security settings to all connected gateways with a single click on policy installation.

Check Point's security management is called SmartCenter Server (or Multi-Domain Security Management) and has a built-in internal certificate authority. This Internal CA enables the global use of certificates between all connected components and gateways right out-of-the-box.

image.png

Check Point automatically generates certificates whenever a new Check Point object is created, so you don't have to take care of certificate handling. Check Point does it all for you.

Bild3 bearbeitet.png

Establishing a certificate based VPN in centrally managed Check Point environments is as easy as 1-2-3.

First, create a VPN community for certificate based VPNs (Mesh or Star topology)

Bild4 bearbeitet.PNG

Now let's take a closer look at the settings of the created VPN community.

Check the "Accept all encrypted traffic on: " box and select the "Both center and satellite gateways" in the "Encrypted Traffic" tab.

image.png

Configure your preferred VPN encryption settings for Phase 1 (IKE) and Phase 2 (IPsec) and allow permanent tunnels if needed.

image.png

Leave the checkbox for pre-shared keys unchecked!

image.png

In the next step we want to activate and configure the needed IPSec VPN blade on the participating gateways. There are two possible options to do this. You can activate the blade in the “General Properties” tab on the gateway or during the installation when using the “Wizard Method”. 

Classic Method

Activate the IPSec VPN blade in the "General Properties" tab.

image.png

Choose your VPN community.

image.png

Activate NAT on the participant gateways.

image.png

..and select the VPN encryption domain of the specific object.

Gateway : 

image.png

RemoteOffice : 

image.png

(end of Classic Method)

Wizard Method

Activate IPSec VPN on your participant gateways.

image.png

Choose your VPN community and activate NAT

image.png

..and select the VPN encryption domain of the specific gateway.

image.png

When everything is set verify your VPN certificate and IPSec VPN community.

image.png

After you have configured the VPN topology for your VPN gateways you should add them to your VPN community (if not already done).

image.png

Finally, install the security policy.

image.png

The certificate based VPN tunnel is now up and working!

image.png

Should the connection to the SMB appliance (in our case the "RemoteOffice") get lost after the policy installation check the "Connection Persist" option and activate "Keep all connections". 

image.png

 

Locally managed

Check Point's 700 appliances are locally managed. So can be 1100 / 1400 / 1500 appliances. 

image.png

These SMB appliances have their own local CA!

First, let's export our Internal CA to the 1100 / 1400 / 1500 appliance at our remote office.

In SmartDashboard just navigate to Manage > Servers and OPSEC Applications... > internal_ca > Edit... > Local Security Management Server > Save As... and export the certificate.

1to local extended + save .png

Verify that the locally managed SMB appliance has Site-to-Site VPN enabled.

image.png

Import the internal_ca.crt file to your locally managed SMB appliance.

image.png

You may want to disable CRL checking if your Management as primary CRL Distribution Point can't be reached or isn't resolvable.

image.png

Easy, isn't it? Now we want to export the SMB appliance's certificate to our Management or (if you prefer) issue a certificate request to be signed by our management's Internal CA.

Option A - Export the SMB appliance's certificate

Highlight the Internal CA of our SMB appliance (NOT the one we just imported), then click "Export" and save the file.

image.png

Go to VPN >Certificates > Internal Certificates and copy the Certificate CN of the Internal VPN Certificate.

image.png

Create a VPN site for the certificate based VPN tunnel to our VPN Gateway and configure the site to use Certificate as authentification.

image.png

Don't forget to select the Remote Site Encryption Domain.

image.png

In the tab Advanced > Certificate Matching set the "Remote Site Certificate should be issued by" to our Management trusted CA's name and enable permanent tunnels if needed.

We are now finalizing our VPN setup in SmartDashboard on our Management.

Navigate to Manage > Servers and OPSEC Applications.. > New > CA > Trusted select OPSEC PKI and open the tab OPSEC PKI to import our saved SMB Internal CA file.

image.png

image.png

Again, you may want to disable CRL Checking if required.

image.png

You'll then find our imported SMB certificate 'CP1550' next to our internal_ca within the Trusted CA list of our Management.

image.png

(end of Option A)

Option B - Issue a certificate request

Go to VPN > Certificates > Installed Certificates and click New Signing Request to generate a new certificate.

Enter a Certificate name and Subject DN.

image.png

Export the signing request to a file.

image.png

Copy the content of the exported file.

image.png

On the Management start the ICA Management Tool (sk39915), go to Create Certificates and paste the certificate request into the PKCS#10 text box.

image.png

Create the signed certificate.

If required change the file name extension of the created certificate to .crt .

image.png

On the SMB appliance click 'Upload Signed Certificate', select the certificate and click 'Complete'.

image.png

(end of Option B)

Now simply create an Externally Managed Check Point Gateway for our SMB appliance and you are all set up and done.

image.png

When configurating the Matching Criteria for our SMB appliance, check the DN box and paste the subject of our SMB appliance Default Certificate if you took Option A.

image.png

In case of Option B first copy the DN of the created certificate from within ICA Management Tool.

image.png

Then paste it into the DN field of the VPN certificate as issued by our internal_ca.

image.png

Install the security policy.

image.png

And check out the working VPN tunnel.

image.png

 

 

Special thanks to @Ziegelsambach , @Joshua and @jannag !

Thank you.

(1)
Who rated this post