CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 12 of 12

Thread: VPN with certificate between Cisco and Checkpoint

  1. #1
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default VPN with certificate between Cisco and Checkpoint

    I am thinking of writing a white paper for site-2-site VPN between Checkpoint firewalls and Cisco devices such as Cisco routers and Pix/ASA using Certificate Server (Microsoft CA or Cisco CA running on IOS).
    I've been able to get this working in my lab.

    Is this something that anyone in this forum interested in? If so, let me know so that I can start the process.

    By the way, the white paper will be very detailed from how to setup the certificate server to getting the devices (checkpoint, cisco) to authenticate and enroll and site to site vpn to work example, and result as well.

  2. #2
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    14

    Default Re: VPN with certificate between Cisco and Checkpoint

    It will be great.
    We have a big interest in this area

  3. #3
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: VPN with certificate between Cisco and Checkpoint

    Yes, or course this is possible. It's just a matter of installing/configuring the CA cert into the CheckPoint Management. It's an object you have to define.

    I don't recall if there are any additional steps. But beware, that the firewalls themselves will likely want to connect directly to the CRL URL listed in the CA cert.

  4. #4

    Default Re: VPN with certificate between Cisco and Checkpoint

    Quote Originally Posted by alienbaby View Post
    But beware, that the firewalls themselves will likely want to connect directly to the CRL URL listed in the CA cert.
    This is actually one of the most common problems we see with our customers. VPN tunnel sets up fine, everything is working, and then one day the VPN tunnels are down without any configuration changes being made. The reason? CRL is not accessible so the tunnel fails. Beware of this one.

  5. #5
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: VPN with certificate between Cisco and Checkpoint

    Quote Originally Posted by indeni View Post
    This is actually one of the most common problems we see with our customers. VPN tunnel sets up fine, everything is working, and then one day the VPN tunnels are down without any configuration changes being made. The reason? CRL is not accessible so the tunnel fails. Beware of this one.
    You can have a work around for this one. Make CRL "optional". In Cisco, the command is "crl optional" or "revocation-check none".

  6. #6
    Join Date
    2007-07-27
    Posts
    153
    Rep Power
    13

    Default Re: VPN with certificate between Cisco and Checkpoint

    Hi cciesec2006,

    This is definitely something I would be interested in. Have you started the process?

    Kind Regards
    Testing-123

  7. #7
    Join Date
    2010-01-11
    Posts
    100
    Rep Power
    10

    Default Re: VPN with certificate between Cisco and Checkpoint

    I too have a deep interest in this. I am converting some 90 tunnels from an old Nortel Contivity box to my R70.40 (R75 soon) Checkpoint firewalls. Of the 90, about 75 are Cicso PIX/ASA and using certificates would make my life simpler for manageing allowed end-points, i.e., CRL when the business relationship changes.
    Thanks.
    Last edited by rmmagow; 2011-03-28 at 08:54. Reason: spelling

  8. #8
    Join Date
    2009-04-22
    Posts
    19
    Rep Power
    0

    Default Re: VPN with certificate between Cisco and Checkpoint

    Hi cciesec, could you share the whitepaper plz.

  9. #9
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: VPN with certificate between Cisco and Checkpoint

    Quote Originally Posted by kanna_vk View Post
    Hi cciesec, could you share the whitepaper plz.
    sorry, I am still trying to locate the paper. I have it somewhere in one my USB drives. I just need to look for it.

    Will post it once I've found it.

  10. #10
    Join Date
    2009-04-22
    Posts
    19
    Rep Power
    0

    Default Re: VPN with certificate between Cisco and Checkpoint

    Thank you.

  11. #11
    Join Date
    2009-04-22
    Posts
    19
    Rep Power
    0

    Default Re: VPN with certificate between Cisco and Checkpoint

    My plan goes like this:

    OPSEC Certified PKI: (Adding Root CA):
    1) Open Servers and OPSEC tab
    2) Trusted CAs --> Add New CA -->Trusted
    3) Fill up the details, say “external_ca”
    4) Select OPSEC PKI tab
    5) Make sure HTTP Server(s) is selected and click on “Get”
    6) Select the root cert provided by the CA. (Now Trusted CA object has been created.)

    Generate CSR:
    1) Open the Firewall Object.
    2) Navigate to IPSEC VPN
    3) In the Repository of Certificates – Click Add:
    4) Provide a Nickname and select the previously created CA object from the drop down selection available in “CA to enroll from”.
    5) Click on Generate, it will pop-up asking you to provide DN values.
    6) Click OK to generate the CSR.
    7) Copy the CSR using the option provided “Copy to Clipboard” or use “Save to File” option.
    8) Send this CSR to third-party CA to receive the signed CSR.
    9) Once the file has been received, go to firewall object -->IPSec VPN --> Select the "external_ca" which will be unsigned at this moment.
    10) Click on complete and select the file received "signed CSR", review it once and click “OK”.
    11) Now Cert is installed. Install policy so that the sslcert installed to the Gateway.

    for VPN:
    1) Open the interoperable Device.
    2) Select the “IPSec VPN” --> click on “Matching Criteria”
    3) Select the newly created CA say “external_ca”.
    4) Install the Policy and test the VPN connections.
    Last edited by kanna_vk; 2017-05-25 at 12:44.

  12. #12
    Join Date
    2018-10-12
    Posts
    2
    Rep Power
    0

    Default Re: VPN with certificate between Cisco and Checkpoint

    Hi did you manage to find de document ?

    Regards

Similar Threads

  1. Cisco VPN client through CheckPoint to Cisco PIX
    By MatsB in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2010-10-14, 14:38
  2. Checkpoint to Cisco VPN
    By Steve in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2008-09-04, 10:59
  3. Cisco VPN through checkpoint
    By danzaka in forum Interoperability
    Replies: 2
    Last Post: 2008-06-19, 16:30
  4. Certificate base VPN between Checkpoint firewalls
    By cciesec2006 in forum Versions Of Firewall-1/VPN-1
    Replies: 7
    Last Post: 2007-10-26, 23:02
  5. Problem connecting to external VPN using Cisco VPN behind Checkpoint R55/IPSO 3.8 OS
    By eyunghans in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2006-11-20, 15:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •