topic After rename the gateway IPSec tunnel issue in Firewall and Security Management

After rename the gateway IPSec tunnel issue

CPRQ — Thu, 15 Jul 2021 12:52:39 GMT

Re: After rename the gateway IPSec tunnel issue

CPRQ — Thu, 15 Jul 2021 12:56:27 GMT

After renaming the gateway the IPSec tunnel is not coming up. We did remove the the cert, generate and renewal the cert where the gateway name changed; and push policy on both gateways but no luck. Any idea?

Re: After rename the gateway IPSec tunnel issue

RamGuy239 — Thu, 15 Jul 2021 14:38:25 GMT

Did you try to reset SIC as well? If you are talking about IP-sec VPN site-to-site tunnels using certificates you are most likely talking about VPN traffic between Check Point gateways managed by the same management server?

When verifying certificates all the gateways are communicating with the management. The SIC certificate between the management and the gateway is also tied to the hostname of the gateway. Might this be an issue where you have changed the hostname of the gateway without breaking and re-establishing SIC so this particular gateway is running into issues when it's trying to verify certificates by communicating with the management server?

Re: After rename the gateway IPSec tunnel issue

CPRQ — Thu, 15 Jul 2021 14:54:14 GMT

Yes we did reset and established the SIC. Yes VPN-IPSec site to site tunnels using certificate and both gateways are under same management server. Thanks

Re: After rename the gateway IPSec tunnel issue

RamGuy239 — Thu, 15 Jul 2021 15:07:15 GMT

Have you tried manually installing database on the management server and tried to push policy towards the other gateways making sure everything is aware of the change of hostname and certificates? This is the point where I would simply enable IKE-debug on the affected gateways, grab the ike.elg and inspect it using IKEview from Check Point to get a better understanding of what is going on.

It's so quick and easy to enable ike debug on the firewalls, and the ike.elg is so small and easy to understand by using IKEview (sk30994) it will often save me a lot of time when I'm confused about why a VPN-tunnel is not working.

Connect to the gateway using SSH and enable IKE debugging:

Expert mode
vpn debug trunc
vpn debug ikeon

Make sure to force the tunnel establishment. I will normally utilise vpn tu on the gateway.

vpn tu
7
TYPE IN THE IP OF THE PEER GATEWAY

Make sure some traffic is trying to pass through the tunnel so we know it's trying to re-establish itself.

vpn debug truncoff
vpn debug ikeoff

Grab the ike.elg from $FWDIR/log/ike.elg and open it using IKEview and look through the details and figure out where it's failing. It should provide you with plenty of details. Is it because of the certificate exchange or is it failing because of something entirely different?

It might be a good idea to do this on both sides of the VPN tunnel if you have SSH access to both. So do the same on both the gateway that you re-named, and one of the other gateways that it's having difficulties establishing a VPN-tunnel towards.

Re: After rename the gateway IPSec tunnel issue

CPRQ — Thu, 15 Jul 2021 19:16:16 GMT

Issue is resolved after deleting old cert and creating the new one and initiate traffic through tunnel. Thanks for the help