[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Trouble with external certifate auth for VPN Tunneling!! Any help would be very much appreciated!!! extended message
Hey there!! I'm having some trouble with Remote Access VPN's using external certificates. ...i've tried it with "NG FP3" and the recent "NG AI" ...it's the same... The public key of the external CA as been installed. The gateway server certificate as been installed. Even the client certificates are being issued and distributed. We establish successfully the VPN with the "generic*" profile, but... I want to create external user profiles to match against DN format ("Users and Administrators->External User Profiles->Match by domain"). Well first of all, can i use that kind of profile to match against de DN of the certificate? If i can... I've created certificates with diferent Organisational Units such as "admin", "partner" and "user", and defined a "match by domain" profile for each one of them, like: ex: OU=admin,O=domain,C=country That should work i thought, but no it doesn't, a box after the auth and in the logs you get a reject message say "User CN=x,OU=admin,O=domain,C=country,[email protected] unknown". Until now i've bumped into to things: If during the creation of the "Match by domain" object, i check the box "Any Domain Name is acceptable" and then check "DN format", there for disabling the last box, because it's part of the "Free format" matching, i kind of create a "generic*" profile. This shouldn't be happening right? I mean after this i can write whatever i want on the "DN format" text box and i will still be able to establish the VPN!!!(tried writing "OU=dont know what the hell is going on" and it worked!!!) The other thing i got, is that i can also sucessfully establish the VPN by creating the user as is shows in the DN: Certificate DN example: CN=Me Myself,OU=admin,O=domain,C=country,[email protected] Username text box must have this full DN in order to work. After this i can put it in what ever group i like and work this out...but... "generic*" is not good because all certicates would be validated, if trusted by the external CA, and i wouldn't be able to give security level access trough the VPN Creating the users although it gives me all that, would give us a hell of an head-hake just to have them all added and maintenance would be even worse! As anyone tried this feature? Any ideas? Best regards, CS PS- Hope i haven't been to much extended :P Trusted Systems - http://www.trusted.pt Praça de Alvalade, n.º 6 - 6.º piso 1700-036 Lisboa, PORTUGAL Tel: +00 Fax: +42 -- A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|