Certificate base VPN between Checkpoint firewalls

[cciesec2006]

LAN_A ---CP_A -----Internet-----CP_B----LAN_B

both CP_A and CP_B is running NGx R61 with HFA_01 on Nokia IP380 IPSO 4.1
build 28.

I have VPN between LAN_A and LAN_B using preshare key and it is working
great.

I want to use Certificate based VPN instead of pre-share key. The certificate
Authority (CA) Server will be a Microsoft CA Server sitting on the Internet
with IP address of 4.2.2.2.

Anyone has the instruction on how to be able to accomplish this? Thanks.

[RayPesek]

Is there some reason you cannot use the built-in Check Point Internal Certificate Authority on the management server? Are these firewalls managed by the same SmartCenter or different ones?

Ray

[lammbo]

Hmmm.... maybe off-topic, but unless you are with Level3 Communications, how are you using 4.2.2.2 as your certificate server? That IP is a public DNS server.

[chillyjim]

Quote:

Originally Posted by cciesec2006

I want to use Certificate based VPN instead of pre-share key. The certificate
Authority (CA) Server will be a Microsoft CA Server sitting on the Internet
with IP address of 4.2.2.2.

Anyone has the instruction on how to be able to accomplish this? Thanks.

You will need to generate the certs and import them into the gateways (In the VPN section). You will also need to create a host for the CA and a new trusted CA under "servers". There you will import the CA's root certificate.

[cciesec2006]

Guys,

I was able to get it to work. In NGx R61, checkpoint allows you to use SCEP to
automatically enroll 3rd party certificate. By the way, both CP_A and CP_B
are being managed by different Provider-1 NGx. The 3rd party is a Microsoft
CA server. 4.2.2.2 is a fake IP. I wouldn't want to put my real CA Server
on the Internet so that it can get hacked right?

Now I have a different problem. I would like to make CP_A which is now a
Cicso ASA device to work with CP_B which is an NGx firewall to work in
site-2-site VPN with Microsoft CA Server. I've been trying to make
it work for almost 2 months now without much luck.

I've both Cisco and Nokia TAC involved but it is going no where. I can not make
changes in the requirements. This is what the customer wants.

Any ideas?

[RayPesek]

"I wouldn't want to put my real CA Server on the Internet so that it can get hacked right?"

If you have implied rules enabled, try this trick:

http://<externalIP>:18264

Ray

[cciesec2006]

"I wouldn't want to put my real CA Server on the Internet so that it can get hacked right?"

I mean it in the sense that the CA Server has public IP but it is not 4.2.2.2.
I just did not want to disclose it this public forum.

Both CP_A and CP_B can get the CA Server fine without issues and it works fine
and both Firewalls are Checkpoint or both firewalls are Cisco Pix but not
if CP_A is Checkpoint and CP_B is Cisco Pix.

As I've said before, both Nokia TAC and Cisco TAC are scratching their head
about this.

Will keep everyone posted.

[JohnMH]

I have been using an RSA certificate server for creating all my certs for use with checkpoint since 2002.

Makes a great way of making sure users are revoked...

I started using it since at that time Checkpoint did not have a way of issuing certs and needed a non user ID and password authentication for SecureClient.

John