DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Checkpoint -> Draytek 2820n VPN with Certificates

  • jamesmcbride
  • Topic Author
  • Offline
  • New Member
  • New Member
More
01 Sep 2011 08:59 #1 by jamesmcbride
Checkpoint -> Draytek 2820n VPN with Certificates was created by jamesmcbride
I have a Draytek 2820n with a dynamic IP, from which I need to create a VPN to my Checkpoint firewalls.

In order to do this, I need to use certificates for authentication rather than Pre-Shared keys. I have got so far with doing this, but I don't seem to be able to get any further, so far I have done the following:
Issued and installed a certificate to the Draytek from the Checkpoint CA
Added the Checkpoint CA as a trusted CA on the Draytek
Configured Draytek as an interoperable device in Checkpoint, with a Dynamic IP and set it to match the DN of the certificate I issued
Added the Draytek and Checkpoint to a VPN community
Configured Phase1 and Phase2 encryption as follows:
Phase1: AES256 / SHA1 / DH Group2 / Re-negotiate 1440 minutes (as per my remote access encryption properties)
Phase2: 3DES / SHA1 / Renegotiate 3600 Seconds
Configured encryption domains

What I am seeing is Phase 1 seems to complete - it shows Phase 1 as up in Smart View monitor and I can see the certificate exchange when looking at the debug logs in IKEView. However, it doesn't seem to even start Phase2.

Any advice or pointers would be greatly appreciated

Please Log in or Create an account to join the conversation.

  • tippers
  • User
  • User
More
23 Feb 2012 09:57 #2 by tippers
Replied by tippers on topic Re: Checkpoint -> Draytek 2820n VPN with Certificates
Hi,

Did you find a solution to this issue? I am having a similar problem with linking a certificate VPN between a 2830n and a Sonicwall firewall. Phase 1 appears to complete but then packets are dropped and Phase 2 never completes.

It must be something to do with the certifcates or CA certificate as the VPN works fine with a PSK. I'm unsure about the Certificate Template to use. Sonicwall have assured me their device requires the Web Server template and reading the Vigor notes it suggests using the Router (Offline Request) template. Is this something which would cause an issue?

Chris

Please Log in or Create an account to join the conversation.

  • nealuk
  • User
  • User
More
23 Feb 2012 15:46 #3 by nealuk
Replied by nealuk on topic Re: Checkpoint -> Draytek 2820n VPN with Certificates
why not just user Peer ID ?

Please Log in or Create an account to join the conversation.

  • tippers
  • User
  • User
More
23 Feb 2012 15:55 #4 by tippers
Replied by tippers on topic Re: Checkpoint -> Draytek 2820n VPN with Certificates
I have set the Peer ID to accept the email address on the Sonicwall cert. From the Draytek notes, that is just one part of the configuration, you also need the certs imported.

Please Log in or Create an account to join the conversation.

  • nealuk
  • User
  • User
More
24 Feb 2012 10:55 #5 by nealuk
Replied by nealuk on topic Re: Checkpoint -> Draytek 2820n VPN with Certificates
Phase1: AES256 / SHA1 / DH Group2 / Re-negotiate 1440 minutes (as per my remote access encryption properties)
Phase2: 3DES / SHA1 / Renegotiate 3600 Seconds


Just for the heck of it, what about trying a different type - G2 instread of SHA to see if this makes a difference. Some types work better than others for no logical reason!

Please Log in or Create an account to join the conversation.