Using Symantec Verisign PKI to authenticate Checkpoint Site-to-Site IPSec VPN - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, September 12, 2013

Using Symantec Verisign PKI to authenticate Checkpoint Site-to-Site IPSec VPN

This lab will use Symantec Verisign Trial SSL Certificate and Checkpoint R76 installed on VMware to demonstrate the steps how to use external OPSEC PKI to authenticate IPSec VPN Tunnel

Topology:
The goal is to ping from 192.168.177.1 to 192.168.99.1 with RSA signature authentication method.



1. Create a VPN community 
Create a VPN community for both firewalls without use external trusted third party PKI. Since both firewalls are managed by same management server, they will automatically use internal.ca to do authentication.
a. Create a VPN community with default settings. Add both firewalls cpmodule (vpn1) and cp_2 (vpn2) into participating gateways list.
b. Confirm they will use any of its certificate.

c. Create firewall rules
Those rules allow traffic encrypted to pass through vpn tunnel

d. verify by ping from one end to another end.

2. Import Symantec Verisign Trial Root CA and Intermediate CA certificates
a. Download both CA certificates from website URL:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1738

you will find link for both CA certificates:


b. Add them into servers tab:



3. Create CSR on both firewalls.
a. Add a new certificate, then select verisigntrialinternediate as enroll source. Click generate to generate CSR. Use view to check CSR and save it to a file.
 DN: CN=vpn.yourdomain.com,O=Your Company,L=City,ST=Ontario,C=CA
note: ST has to be full name of province. You can not use ON to replace Ontario



4. Submit CSR to Get your Signed Certificates
Go to Verisign free trail web page to apply the certificate with CSR you just saved.
https://trustcenter.websecurity.symantec.com/process/retail/trial_product_selector?uid=d6f070aaef900487ba6bf0edafdaa23c&locale=VRSN_US&language=en
It will expire in 30 days, but should be enough for a lab to prove your concept.


At final step , it will notify you the order number and tell you a email will send to you with approved certificate in it. It may take 8 hours to delivery it.
Also you always can check status of your order at http://www.verisign.com/status
you can check if you request has been approved or not, also if certificate issued.

5. Complete your CSR request and import certificates into your firewall.

Click complete on your firewall IPsec VPN tab. Select the file which Verisign sent to you in the email.

6. Change firewall authentication method to use Verisign CA PKI.
Do it on both firewalls.

7. Push firewall policy on both firewalls. 
Use ping to do test and check logs from Smartview Tracker. It will still have CRL retrieval error. After fixed that, you should be able to see traffic going through tunnel without problem.


Reference:

No comments:

Post a Comment