[FW-1] Trouble with external certifate auth for VPN Tunneling!! Any help would be very much appreciated!!! extended message

[Carlos Santos <csantos@FW1-NOSPAMWHATEVERNET.COM>]

Hey there!!

I'm having some trouble with Remote Access VPN's using external
certificates.

...i've tried it with "NG FP3" and the recent "NG AI" ...it's the
same...

The public key of the external CA as been installed.
The gateway server certificate as been installed.
Even the client certificates are being issued and distributed.

We establish successfully the VPN with the "generic*" profile, but...

I want to create external user profiles to match against DN format
("Users and Administrators->External User Profiles->Match by domain").
Well first of all, can i use that kind of profile to match against de DN
of the certificate?

If i can...
I've created certificates with diferent Organisational Units such as
"admin", "partner" and "user", and defined a "match by domain" profile
for each one of them, like:
ex: OU=admin,O=domain,C=country

That should work i thought, but no it doesn't, a box after the auth and
in the logs you get a reject message say "User
CN=x,OU=admin,O=domain,C=country,Email=a@d.c unknown".


Until now i've bumped into to things:

If during the creation of the "Match by domain" object, i check the box
"Any Domain Name is acceptable" and then check "DN format", there for
disabling the last box, because it's part of the "Free format" matching,
i kind of create a "generic*" profile.

This shouldn't be happening right?
I mean after this i can write whatever i want on the "DN format" text
box and i will still be able to establish the VPN!!!(tried writing
"OU=dont know what the hell is going on" and it worked!!!)

The other thing i got, is that i can also sucessfully establish the VPN
by creating the user as is shows in the DN:
Certificate DN example:
CN=Me Myself,OU=admin,O=domain,C=country,Email=me@what.ever

Username text box must have this full DN in order to work.

After this i can put it in what ever group i like and work this
out...but...

"generic*" is not good because all certicates would be validated, if
trusted by the external CA, and i wouldn't be able to give security
level access trough the VPN

Creating the users although it gives me all that, would give us a hell
of an head-hake just to have them all added and maintenance would be
even worse!

As anyone tried this feature? Any ideas?

Best regards,

CS


PS- Hope i haven't been to much extended :P




Trusted Systems - http://www.trusted.pt
Praça de Alvalade, n.º 6 - 6.º piso
1700-036 Lisboa, PORTUGAL
Tel: +00
Fax: +42

--

A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.

Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================