external CA for Remote Access VPN

Posted on May 9, 2012

19



Checkpoint has a complete Certificate Authority infrastructure and I would use it for small and medium sized businesses where there is only some user for remote access. For large enterprises or for companies with existing CA infrasturcture it is worth to use their certificates, because it gives much more flexibility. In this example I illustrate how to use an external CA for remote access VPN with Checkpoint R75 Client.

The topology used for the test.
.

Lets start to configure the wholse stuff. In this example I have a certificate chain with a root CA and one subordinate CA. First import the root CA Certificate:
(Generate root ca and subordinate ca woth openssl is documented on other older posts)

The name is root_ca for the CA:

The root ca can be found now under the trusted CA list:

Before we import the certificate, we have to change here something.

We do not use CRL now, it can be disabled, but the client certificates should be checked on the CRL List in a live system. (You can generate one with openssl and put it on a http server):

and import the ca certificate for the root ca.

The root ca can be found now under the trusted CA list:

Next step is to import the subordinate CA:

Import the certificate for the sub ca:

Now we have a certificate authority under subordinate CA List too:

And now comes the firewall setup. We setup the basic settings for the firewall object and generate a Certificate Request.

Set the IP and enable the VPN Feature:

Set the VPN Community:

Set the topology and the VPN encryption domain.

If you have CA chain and the signing CA for the clients is not the same as the signing CA for the firewall and the clients do not know the firewalls CA, then you have to configure the firewall the way that is sends the complete chain of its certificate to the client and the client will find a matching certificate in the chain or will see that the root CA is the same as its own root CA and it accepts the firewall certificate. If the chain, that the firewall has, does not contain any CA that the client trusts, it will brake the VPN connection. In Checkpoint GUI you should choose the root CA as the signing CA and sign the CSR with the sub CA. The Checkpoint GUI will not check if really the choosen CA enrolled the CSR.

Before we generate a certificate request for the client we should know what field are mandatory for the CA, that will sign the certifiacte request. In my openssl configuration it is the following:

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

If we do not follow the requirements we can run into this problem:

root@schlagmichtotgw:/tmp/mnt/subca# /opt/bin/openssl ca -in ../client_requests/myfirewall.csr -out myfirewall_cert.pem -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
The mandatory countryName field was missing
root@schlagmichtotgw:/tmp/mnt/subca#

I have tried to find the standard attribute identifiers, like OU is Organizational Unit, but I had no luck. One RFC I have found is the 4211, where there was a list of basic identifiers:

      C      (country)
      L      (locality)
      ST     (state or province)
      O      (organization)
      OU     (organizational unit)
      CN     (common name)
      STREET (street address)
      E      (E-mail address).

If you check what the subca has as a DN, you will se the following:

Email=info@mycompany.hu,CN=subordinate,OU=Security,O=My Company,ST=Budapest,C=HU

The mandatory fields should we copie and this will be the good one for the firewalls csr:

CN=myfirewall,C=HU,ST=Budapest,O=My Company

The GUI should look like this:

I have added an IP Adress field as well. This is required for Ipads…

Copy it to the clipboard.

and paste it on the server where our openssl for CA installed:

root@schlagmichtotgw:/tmp/mnt/client_requests# vi myfirewall.csr 

And just send the CSR to the CA and sign it:

root@schlagmichtotgw:/tmp/mnt/subca# /opt/bin/openssl ca -in ../client_requests/myfirewall.csr -out myfirewall_cert.pem -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 256 (0x100)
        Validity
            Not Before: Apr 21 09:43:16 2012 GMT
            Not After : Apr 21 09:43:16 2013 GMT
        Subject:
            countryName               = HU
            stateOrProvinceName       = Budapest
            organizationName          = My Company
            commonName                = myfirewall
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E0:21:88:A2:41:19:E1:5B:32:60:7E:5C:53:96:17:99:22:A2:DC:A1
            X509v3 Authority Key Identifier:
                keyid:65:6A:7A:7A:94:E5:92:9F:68:F8:86:26:BE:C8:89:04:FA:D4:5C:26

Certificate is to be certified until Apr 21 09:43:16 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

and convert it to DER format

root@schlagmichtotgw:/tmp/mnt/subca# /opt/bin/openssl x509 -outform der -in myfirewall_cert.pem -out myfirewall_cert.crt 

Import the signed certificate in the firewall:

Lets go on with the VPN setup and set the authentication method (I have not seen this setting before R75, but as we do not set the authentication on the user object, we should set it here. I have to test it if I leave it, would it still work?…):

Set the IP for VPN Service if we need vpn not from the main IP Adress that is in my case the internal IP (192.168.56.10):

Set Office mode IP for the remote access VPN:

Enable Policy server (I guess it is optional):

Create some basic rules for the client firewall policy:

Enable visitor mode, that is required for R75 client (AFAIK):

and change the webui port to something else (be careful to change the port to a not used port):

[myfirewall]# webui disable
Shutting down cp_http_server_wd:                           [  OK  ]
[myfirewall]# webui enable 1443
Running cp_http_server_wd:                                 [  OK  ]
[myfirewall]#

Now we have to create a local user for authentication. I am not sure if it is possible with Checkpoint, but with Cisco you can disable the user-authentication completely, I mean it is enough to identify only the users certificate without any username (local or remote on LDAP).

We do not have to set anything for authentication:

and we do not have to set anything for certificate:

o not forget to install the policy.

VPN Client used for the test:
Endpoint Security VPN R75 (which replaces SecureClient) for Windows
Link:
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=11611

Create certificate for the windows client:

– generate a private key for the client

root@schlagmichtotgw:/tmp/mnt# mkdir client_cert
root@schlagmichtotgw:/tmp/mnt# cd client_cert
root@schlagmichtotgw:/tmp/mnt/client_cert# mkdir private
root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl rand -out ./private/.client_rand 1024
root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl genrsa -des3 -out ./private/client.key -rand ./private/.client_rand 2048
1024 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.......+++
................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for ./private/client.key:
Verifying - Enter pass phrase for ./private/client.key:
root@schlagmichtotgw:/tmp/mnt/client_cert#

– generate a request for the client

root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl req -new -key ./private/client.key -out client.csr
Enter pass phrase for ./private/client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Budapest
Locality Name (eg, city) []:Berlin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Finance
Common Name (eg, YOUR name) []:testuser1
Email Address []:testuser1@mycompany.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@schlagmichtotgw:/tmp/mnt/client_cert#

– Sign the client cerftificate

root@schlagmichtotgw:/tmp/mnt/subca# /opt/bin/openssl ca -in ../client_cert/client.csr -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 257 (0x101)
        Validity
            Not Before: May  6 19:36:46 2012 GMT
            Not After : May  6 19:36:46 2013 GMT
        Subject:
            countryName               = HU
            stateOrProvinceName       = Budapest
            organizationName          = My Company
            organizationalUnitName    = Finance
            commonName                = testuser1
            emailAddress              = testuser1@mycompany.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2B:6A:0E:53:69:BE:9C:00:6A:48:E5:CC:07:54:78:2C:27:CA:DB:C1
            X509v3 Authority Key Identifier:
                keyid:65:6A:7A:7A:94:E5:92:9F:68:F8:86:26:BE:C8:89:04:FA:D4:5C:26

Certificate is to be certified until May  6 19:36:46 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 257 (0x101)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=HU, ST=Budapest, O=My Company, OU=Security, CN=subordinate/emailAddress=info@mycompany.hu
        Validity
            Not Before: May  6 19:36:46 2012 GMT
            Not After : May  6 19:36:46 2013 GMT
        Subject: C=HU, ST=Budapest, O=My Company, OU=Finance, CN=testuser1/emailAddress=testuser1@mycompany.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a0:e0:03:43:b2:f1:e8:27:71:06:1f:a7:ec:22:
                    f8:ce:2d:f5:75:30:5a:ec:f0:e0:f1:57:4f:5d:19:
                    2b:d9:73:0e:67:27:b6:50:b3:78:fd:66:e5:3a:d3:
                    dd:29:c7:87:30:b3:99:2d:f3:b6:9f:4c:1f:13:c1:
                    d2:80:63:e2:c9:bc:a4:b1:02:da:35:a5:73:e9:ce:
                    3d:78:49:aa:26:3c:bf:eb:6f:91:6c:5b:b2:72:7a:
                    70:f4:4d:f8:16:7a:19:c5:1d:0c:90:1d:8d:1c:56:
                    28:81:02:62:43:74:2b:5f:41:ce:63:f6:21:8f:bd:
                    27:9f:5b:3a:10:8a:86:70:29:8e:7a:a3:05:09:00:
                    af:55:05:d7:68:30:34:c7:1a:7e:9e:59:a0:00:72:
                    58:2b:97:04:fc:ed:8a:8c:0d:8d:f0:e8:a4:d2:2b:
                    69:d8:43:e8:42:62:ad:ca:75:59:4b:ec:83:a3:dc:
                    b3:1a:dd:67:44:a6:9d:3b:af:5b:78:f3:67:f1:d6:
                    ee:19:22:54:da:f1:7f:ca:7c:d1:22:10:b5:bb:3a:
                    7d:65:b4:5e:54:f0:1b:70:71:5b:3d:a2:9a:02:01:
                    2d:c7:db:f0:6a:1c:d5:c2:b1:79:3a:82:78:a8:1d:
                    31:f7:7f:ea:4b:17:10:39:7e:06:56:fd:4d:b5:50:
                    d4:21
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2B:6A:0E:53:69:BE:9C:00:6A:48:E5:CC:07:54:78:2C:27:CA:DB:C1
            X509v3 Authority Key Identifier:
                keyid:65:6A:7A:7A:94:E5:92:9F:68:F8:86:26:BE:C8:89:04:FA:D4:5C:26

    Signature Algorithm: sha1WithRSAEncryption
        b6:89:93:4b:99:67:28:9e:1c:d6:e9:4b:e7:de:ef:c8:bc:68:
        94:b1:20:4d:80:47:df:41:ec:2a:d9:4f:10:e7:c6:24:c5:3b:
        cd:fe:c5:16:f9:14:ec:36:3a:64:10:17:90:75:0c:4c:f3:b8:
        3b:23:d4:19:57:3c:79:1b:de:1c:8e:70:5f:b6:01:b3:29:bc:
        07:91:d4:a0:d8:3f:d3:a4:9c:13:71:c4:18:44:ed:65:fe:c9:
        2a:66:39:18:be:bf:43:67:89:11:ad:f6:a2:8b:58:ab:0d:07:
        45:d5:5f:3d:ac:a3:20:48:46:c4:c8:ae:c0:36:45:21:8e:20:
        32:17:01:aa:ba:49:f4:5b:10:a8:cb:e7:11:f9:96:5e:5c:0f:
        fa:aa:06:2c:79:22:cb:2a:aa:05:f6:6b:27:71:60:5a:f6:b4:
        1f:17:7c:49:e4:f6:b9:43:d8:55:7a:9d:64:6c:bb:d0:96:86:
        e9:cf:8c:07:9c:b9:e9:c4:2f:d1:8f:39:66:b4:6c:3b:2d:ee:
        1c:35:85:a2:68:d1:db:a8:d3:40:55:f7:0c:58:85:80:62:c5:
        3b:12:cb:80:fd:b1:18:66:81:e4:94:e1:b2:f4:c2:8c:b5:c7:
        3b:f4:c9:46:3f:c5:d4:2c:99:5e:c1:fc:58:8f:29:a2:b6:ca:
        08:21:20:64
-----BEGIN CERTIFICATE-----
MIID/DCCAuSgAwIBAgICAQEwDQYJKoZIhvcNAQEFBQAwgYAxCzAJBgNVBAYTAkhV
MREwDwYDVQQIEwhCdWRhcGVzdDETMBEGA1UEChMKTXkgQ29tcGFueTERMA8GA1UE
CxMIU2VjdXJpdHkxFDASBgNVBAMTC3N1Ym9yZGluYXRlMSAwHgYJKoZIhvcNAQkB
FhFpbmZvQG15Y29tcGFueS5odTAeFw0xMjA1MDYxOTM2NDZaFw0xMzA1MDYxOTM2
NDZaMIGDMQswCQYDVQQGEwJIVTERMA8GA1UECBMIQnVkYXBlc3QxEzARBgNVBAoT
Ck15IENvbXBhbnkxEDAOBgNVBAsTB0ZpbmFuY2UxEjAQBgNVBAMTCXRlc3R1c2Vy
MTEmMCQGCSqGSIb3DQEJARYXdGVzdHVzZXIxQG15Y29tcGFueS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg4ANDsvHoJ3EGH6fsIvjOLfV1MFrs
8ODxV09dGSvZcw5nJ7ZQs3j9ZuU6090px4cws5kt87afTB8TwdKAY+LJvKSxAto1
pXPpzj14SaomPL/rb5FsW7JyenD0TfgWehnFHQyQHY0cViiBAmJDdCtfQc5j9iGP
vSefWzoQioZwKY56owUJAK9VBddoMDTHGn6eWaAAclgrlwT87YqMDY3w6KTSK2nY
Q+hCYq3KdVlL7IOj3LMa3WdEpp07r1t482fx1u4ZIlTa8X/KfNEiELW7On1ltF5U
8BtwcVs9opoCAS3H2/BqHNXCsXk6gnioHTH3f+pLFxA5fgZW/U21UNQhAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBQrag5Tab6cAGpI5cwHVHgsJ8rbwTAfBgNV
HSMEGDAWgBRlanp6lOWSn2j4hia+yIkE+tRcJjANBgkqhkiG9w0BAQUFAAOCAQEA
tomTS5lnKJ4c1ulL597vyLxolLEgTYBH30HsKtlPEOfGJMU7zf7FFvkU7DY6ZBAX
kHUMTPO4OyPUGVc8eRveHI5wX7YBsym8B5HUoNg/06ScE3HEGETtZf7JKmY5GL6/
Q2eJEa32ootYqw0HRdVfPayjIEhGxMiuwDZFIY4gMhcBqrpJ9FsQqMvnEfmWXlwP
+qoGLHkiyyqqBfZrJ3FgWva0Hxd8SeT2uUPYVXqdZGy70JaG6c+MB5y56cQv0Y85
ZrRsOy3uHDWFomjR26jTQFX3DFiFgGLFOxLLgP2xGGaB5JThsvTCjLXHO/TJRj/F
1CyZXsH8WI8porbKCCEgZA==
-----END CERTIFICATE-----
Data Base Updated
root@schlagmichtotgw:/tmp/mnt/subca#

– Take out the passphrase from the client key

root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl rsa -in ./private/client.key -out ./private/client_noph.key

– Create the PKCS12 file
This file combines the person’s public key, private key, and root certificate into one file.
(source: http://www.flatmtn.com/article/creating-pkcs12-certificates)

root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl pkcs12 -export -in 0101.pem -inkey ./private/client_noph.key -certfile ../subca/cacert.pem -name testuser1 -out testuser1.p12
Enter Export Password:
Verifying - Enter Export Password:
root@schlagmichtotgw:/tmp/mnt/client_cert#

Copy the p12 file to the client machine and import it in the certificate store.

Run command: certmgr.msc

after the import it is not ready:

the root ca is missing and the certificate is not trusted. But if we add the root ca to the trusted list, it will be okay:

Lets try to connect with our newly install VPN client. First setup the site:

Set the IP of the gateway:

and the connection fails:

the logs in Smartview tracker shows the following:

and this:

at least we have a site now in the client (just to be a little bit possitive :-)):

The problem is that the user is with its DN identified but we use a username for our local user which is the same as the CN from the user certificate. They do not match and the firewall says unkown user.

The user is fetched according to the setting in the certificate in objects file. Lets see how to modify it with cli. For those who like the GUI can use the guidbedit. Login to the management server (in my case it is the same as the firewall.)

[Expert@myfirewall]# dbedit
Enter Server name (ENTER for 'localhost'):

Enter Administrator Name: fwadmin
Enter Administrator Password:

Please enter a command, -h for help or -q to quit:
dbedit> Commands:

create  
modify    
rename   
update  
update_all
delete  
print  
printxml  
addelement    
rmelement    
rmbyindex    
add_owned_remove_name    
is_delete_allowed  
quit [-update_all|-noupdate]

dbedit> print servers root_ca

Object Name: root_ca
Object UID: {F587A88D-1595-4A19-8A15-176FCC92D861}
Class Name: opsec_ca_server
Table Name: servers
Last Modified by: fwadmin
Last Modified from: test-laptop
Last Modification time: Mon May  7 17:37:24 2012
Fields Details
--------------
    OCSP_servers:
    OCSP_validation: false
    additional_ca_sign_keys:
    automatic_enrollment_protocol: (

    )
    ca_type: OPSEC PKI
    cacertificate:
    cacertsignkey: fcf28da110d19253486ecede
    color: black
    comments:
    crl_cache_timeout: 86400
    crl_cache_type: Timeout
    crl_http: false
    crl_ldap: false
    dn: Email=info@mycompany.hu,CN=root,OU=Security,O=My Company,L=Budapest,ST=Budapest,C=HU
    permissions_strings:
    permissions_type: None
    type: ca
    use_auto_enrollment: false
    use_cn_to_fetch_user: false
    use_principal_name: false

dbedit> print servers subca

Object Name: subca
Object UID: {C5ED67BF-2FED-4429-8958-C9B9A49DD9D2}
Class Name: opsec_ca_server
Table Name: servers
Last Modified by: fwadmin
Last Modified from: test-laptop
Last Modification time: Mon May  7 17:37:24 2012
Fields Details
--------------
    OCSP_servers:
    OCSP_validation: false
    additional_ca_sign_keys:
    automatic_enrollment_protocol: (

    )
    ca_type: OPSEC PKI
    cacertificate:
    cacertsignkey: 4e25f88d447d2203750af375
    color: black
    comments:
    crl_cache_timeout: 86400
    crl_cache_type: Timeout
    crl_http: true
    crl_ldap: false
    dn: Email=info@mycompany.hu,CN=subordinate,OU=Security,O=My Company,ST=Budapest,C=HU
    permissions_strings:
    permissions_type: None
    type: sub_ca
    use_auto_enrollment: false
    use_cn_to_fetch_user: false
    use_principal_name: false

dbedit> modify servers root_ca use_cn_to_fetch_user true
dbedit> modify servers subca use_cn_to_fetch_user true
dbedit> quit

servers::root_ca was not updated. update now ?[y/n] y
servers::root_ca Updated Successfully
servers::subca was not updated. update now ?[y/n] y
servers::subca Updated Successfully
[Expert@myfirewall]#

Check what is the policy name:

[Expert@myfirewall]# fw stat
HOST      POLICY     DATE
localhost Standard    7May2012 19:49:23 :  [>eth0] [eth1] [

and install it without the gui (we do not have time for GUI and for the firewall name we use the object name):

[Expert@myfirewall]# fwm load Standard myfirewall

Installing policy on R75 compatible targets:
 Standard.W: Security Policy Script generated into Standard.pf
 Standard:
 Compiled OK.
 Installing Security Gateway policy on: myfirewall ...
  Security Gateway policy installed successfully on myfirewall...

 Security Gateway policy installation complete
 Security Gateway policy installation succeeded for:
 myfirewall

And here we go! After policy install we can log in with the testuser1.

Login

and the key install:

and we are in with office mode IP:

We are ready. But the opened points have to be cleared later. Those are the CRLs and the debug for the certificate chain and the next post about the ldap authentication with openldap. This will be hard, openldap and checkpoint integration..but for now it is:

Advertisements
Posted in: Checkpoint, Security, VPN