DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Checkpoint -> Draytek 2820n VPN with Certificates
- jamesmcbride
- Topic Author
- Offline
- New Member
Less
More
- Posts: 1
- Thank you received: 0
01 Sep 2011 08:59 #69186
by jamesmcbride
Checkpoint -> Draytek 2820n VPN with Certificates was created by jamesmcbride
I have a Draytek 2820n with a dynamic IP, from which I need to create a VPN to my Checkpoint firewalls.
In order to do this, I need to use certificates for authentication rather than Pre-Shared keys. I have got so far with doing this, but I don't seem to be able to get any further, so far I have done the following:
Issued and installed a certificate to the Draytek from the Checkpoint CA
Added the Checkpoint CA as a trusted CA on the Draytek
Configured Draytek as an interoperable device in Checkpoint, with a Dynamic IP and set it to match the DN of the certificate I issued
Added the Draytek and Checkpoint to a VPN community
Configured Phase1 and Phase2 encryption as follows:
Phase1: AES256 / SHA1 / DH Group2 / Re-negotiate 1440 minutes (as per my remote access encryption properties)
Phase2: 3DES / SHA1 / Renegotiate 3600 Seconds
Configured encryption domains
What I am seeing is Phase 1 seems to complete - it shows Phase 1 as up in Smart View monitor and I can see the certificate exchange when looking at the debug logs in IKEView. However, it doesn't seem to even start Phase2.
Any advice or pointers would be greatly appreciated
In order to do this, I need to use certificates for authentication rather than Pre-Shared keys. I have got so far with doing this, but I don't seem to be able to get any further, so far I have done the following:
Issued and installed a certificate to the Draytek from the Checkpoint CA
Added the Checkpoint CA as a trusted CA on the Draytek
Configured Draytek as an interoperable device in Checkpoint, with a Dynamic IP and set it to match the DN of the certificate I issued
Added the Draytek and Checkpoint to a VPN community
Configured Phase1 and Phase2 encryption as follows:
Phase1: AES256 / SHA1 / DH Group2 / Re-negotiate 1440 minutes (as per my remote access encryption properties)
Phase2: 3DES / SHA1 / Renegotiate 3600 Seconds
Configured encryption domains
What I am seeing is Phase 1 seems to complete - it shows Phase 1 as up in Smart View monitor and I can see the certificate exchange when looking at the debug logs in IKEView. However, it doesn't seem to even start Phase2.
Any advice or pointers would be greatly appreciated
Please Log in or Create an account to join the conversation.
- tippers
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
23 Feb 2012 09:57 #71339
by tippers
Replied by tippers on topic Re: Checkpoint -> Draytek 2820n VPN with Certificates
Hi,
Did you find a solution to this issue? I am having a similar problem with linking a certificate VPN between a 2830n and a Sonicwall firewall. Phase 1 appears to complete but then packets are dropped and Phase 2 never completes.
It must be something to do with the certifcates or CA certificate as the VPN works fine with a PSK. I'm unsure about the Certificate Template to use. Sonicwall have assured me their device requires the Web Server template and reading the Vigor notes it suggests using the Router (Offline Request) template. Is this something which would cause an issue?
Chris
Did you find a solution to this issue? I am having a similar problem with linking a certificate VPN between a 2830n and a Sonicwall firewall. Phase 1 appears to complete but then packets are dropped and Phase 2 never completes.
It must be something to do with the certifcates or CA certificate as the VPN works fine with a PSK. I'm unsure about the Certificate Template to use. Sonicwall have assured me their device requires the Web Server template and reading the Vigor notes it suggests using the Router (Offline Request) template. Is this something which would cause an issue?
Chris
Please Log in or Create an account to join the conversation.
- nealuk
- Offline
- Member
Less
More
- Posts: 465
- Thank you received: 0
23 Feb 2012 15:46 #71351
by nealuk
Replied by nealuk on topic Re: Checkpoint -> Draytek 2820n VPN with Certificates
why not just user Peer ID ?
Please Log in or Create an account to join the conversation.
- tippers
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
23 Feb 2012 15:55 #71353
by tippers
Replied by tippers on topic Re: Checkpoint -> Draytek 2820n VPN with Certificates
I have set the Peer ID to accept the email address on the Sonicwall cert. From the Draytek notes, that is just one part of the configuration, you also need the certs imported.
Please Log in or Create an account to join the conversation.
- nealuk
- Offline
- Member
Less
More
- Posts: 465
- Thank you received: 0
24 Feb 2012 10:55 #71359
by nealuk
Replied by nealuk on topic Re: Checkpoint -> Draytek 2820n VPN with Certificates
Phase1: AES256 / SHA1 / DH Group2 / Re-negotiate 1440 minutes (as per my remote access encryption properties)
Phase2: 3DES / SHA1 / Renegotiate 3600 Seconds
Just for the heck of it, what about trying a different type - G2 instread of SHA to see if this makes a difference. Some types work better than others for no logical reason!
Phase2: 3DES / SHA1 / Renegotiate 3600 Seconds
Just for the heck of it, what about trying a different type - G2 instread of SHA to see if this makes a difference. Some types work better than others for no logical reason!
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek