topic Re: New VPN site to site on the same domain "Main Mode Sent Notification to Peer: invalid certi in Firewall and Security Management

New VPN site to site on the same domain "Main Mode Sent Notification to Peer: invalid certificate"

Ilovecheckpoint — Fri, 21 Jun 2024 18:16:01 GMT

Hello,

I have just installed a firewall on an existing MDS domain.

I haven't specified the PSK key, as it needs to use certificate authentication.

This is the message seen on new gateway: Main Mode Sent Notification to Peer: invalid certificate

This is the log on old gateway: Phase1 Received Notification from Peer: invalid certificate

It reaches the crl.

What could be the cause?

Re: New VPN site to site on the same domain "Main Mode Sent Notification to Peer: invalid certi

PhoneBoy — Fri, 21 Jun 2024 18:51:47 GMT

What's the version/JHF level?
Did you push policy to the old and new gateways?

Re: New VPN site to site on the same domain "Main Mode Sent Notification to Peer: invalid certi

Ilovecheckpoint — Sat, 22 Jun 2024 21:48:15 GMT

Hello,

Both gateways version R81.20 Jumbo 65 and on the other one 26. Installed policy on both.
The communication to the management is via Internet and there is a firewall which protects it.
The new firewall is configure to have a private ip natted to public one, to go on Internet.
On gateway object, I configured under vpn link selection use Ip selection by remote peer, always use as statically natted ip, its public one.
As source ip address,I selected manually on the topology, using the internal ip address which is nattet to the public ip.
I configured master file to use public management and log ip addresses and on vpn excluded services, FW ICA is excluded.
The vpn to management works, but communication to crl does not happen and no log seen on management firewall about it.

Re: New VPN site to site on the same domain "Main Mode Sent Notification to Peer: invalid certi

the_rock — Sun, 23 Jun 2024 00:20:36 GMT

I would start with basic debug

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

check vpnd and iked files in $FWDIR/log

Re: New VPN site to site on the same domain "Main Mode Sent Notification to Peer: invalid certi

AmirArama — Sun, 23 Jun 2024 18:05:42 GMT

sometimes just renewing the certificate on both peers resolves such issues.

if that won't help, verify crl check is made and to what IP, and if communication works bi directional by running: 'tcpdump -nnei any port 18264'

if that is not the issue, i agree to continue with vpn debug on both sides.