Check Point Certificates

The SOHO VPN Routers need certificates to authenticate to the Check Point VPN Gateways and to each-other. Check Point requires certificate authentication from external gateways with a dynamic IP address.

All of the examples in this web site assume that you want to authenticate a dozen or more SOHO VPN Routers to two externally managed (two enforcement modules and two management modules)Check Point gateways. The documentation and shell scripts can be easily modified to support one to four externally managed gateways. Like many of the ideas behind the creation of the SOHO VPN Router, supporting additional externally manged Check Point gateways is done by brute force rather than a more elegant solution. If you have a dozen externally managed Check Point VPN-1 gateways, you will want to configure all of the enforcement modules to accept certificates from a central certificate server.

The image below shows two Check Point gateways and four SOHO VPN Routers. The two Check Point Gateways, Location A and Location B, are at a fixed location with a fixed IP Address. The four SOHO VPN routers are connected to residential Cable or DSL Internet service.

Figure 1: Two Check Point Gateways and Four SOHO VPN Routers

Figure one illustrates a commercial product I deployed before the SOHO VPN Router project. If User A wanted to call User B, User A would have to dial an outside line because the router was not smart enough to route the packet to User B. The good news is that User A could call someone at Location B. The VoIP call manager acts as a proxy server for calls between Locations.

Supporting two Locations requires creating two sets of certificates for every SOHO VPN Router. The documentation will illustrate the process of creating certificates for Location-A and mention configuration for Location-B as needed.

Create two sets of certificates per user. The first set of certificates will be created on the Location-A SmartCenter Server. The second set of certificates will be created on the Location-B SmartCenter Server.

Check Point creates pkcs12 certificate files that contain the public key, private key, and CA key. We will use OpenSSL to extract the private key from the pkcs12 file. We will use OpenSSL to extract the public key along with an extra copy of the CA key from the pkcs12 file. We will use the vi text editor to delete the extra CA key from the public key file.

The public / private key pair will be copied to the appropriate directories on the SOHO VPN Routers.

All of the public keys created from the Location-A SmartCenter server will be copied to the appropriate directory on all of the routers. The spoke to spoke VPN tunnels will be authenticated using the certificates created on the Location-A SmartCenter server. The SOHO VPN Router to Location-A VPN tunnels will be authenticated using the certificates created on the Location-A SmartCenter server. The SOHO VPN Router to Location-B VPN tunnels will be authenticated using the certificates created on the Location-B SmartCenter server.

• freelance writer