topic S2S VPN problems continue in Firewall and Security Management

S2S VPN problems continue

StevePearson — Mon, 15 Dec 2025 13:38:32 GMT

I've been working on a site to site VPN to a Palo Alto recently, that needs to be certificate based.

We have finally made progress, but now have a very unusual situation, or at least it's unusual to me, but I'm hoping someone else has come across this before!

From the PA end, a ping brings up the tunnel, but from the Checkpoint end a ping does not bring up the tunnel, it gives an authentication failure!

I'm sure this must be related to the certificate but I don't know why.

Has anyone else seen this before I raise it with TAC?

Re: S2S VPN problems continue

the_rock — Mon, 15 Dec 2025 13:40:39 GMT

Interesting issue Steve. Any relevant logs in smart console ot just says authentication failure?

Re: S2S VPN problems continue

StevePearson — Mon, 15 Dec 2025 13:42:43 GMT

Nothing relevant I can see, just authentication failed in the vpn debugs, and in the PA logs too!

Re: S2S VPN problems continue

the_rock — Mon, 15 Dec 2025 13:45:19 GMT

Just curious, is it set as permanent tunnel on CP side? IM referring to this setting:

Re: S2S VPN problems continue

StevePearson — Mon, 15 Dec 2025 13:53:38 GMT

No it's not set to permanent, and it's set to one tunnel per subnet pair.

Re: S2S VPN problems continue

the_rock — Mon, 15 Dec 2025 14:00:00 GMT

K, fair enough, probably not overly relevant here. What do you see if you search logs in smart console, just filter for community name, thats it.

Like below:

Re: S2S VPN problems continue

StevePearson — Mon, 15 Dec 2025 14:59:20 GMT

I get a repeating pattern of key installs and rejections (Auth failure):

Re: S2S VPN problems continue

the_rock — Mon, 15 Dec 2025 15:04:17 GMT

Thats typical message people would see, but really begs the question why it gets rejeced...is tunnel showing as UP or keeps getting reset constantly?

Re: S2S VPN problems continue

StevePearson — Mon, 15 Dec 2025 15:11:27 GMT

I don't see the tunnel as up in SmartView Monitor at all, vpn tu confirms this.

Re: S2S VPN problems continue

the_rock — Mon, 15 Dec 2025 16:12:29 GMT

I really have a gut feeling its something related to the cert on CP side. Are you able to send some screenshots of how its configured? Please blur out any sensitive data.

Re: S2S VPN problems continue

StevePearson — Mon, 15 Dec 2025 17:00:59 GMT

I tend to agree, but can't see what!

The interoperable device has the community listed with matching criteria, but there is not much else to configure.

They provided their CA and sub ordinate certs and I created objects for them. I then created the CSR using the sub ordinate, sent it to them to sign, and completed using the returned file. So the certificate is listed in the grid of available certs under the IPSEC VPN tab of the cluster.

What bothers me is that the matching criteria say that the gateway must present a certificate issued by the named CA, which suggests this is for incoming connections, and maybe I need to do something more for outgoing connections (which is whats failing)

Re: S2S VPN problems continue

the_rock — Mon, 15 Dec 2025 17:00:18 GMT

Might be worth TAC case...hard to say for sure without doing remote.

Re: S2S VPN problems continue

StevePearson — Mon, 15 Dec 2025 17:03:04 GMT

Yeah, thats were I was heading but this customer has collaborative support which takes a lot longer to get raised.

Re: S2S VPN problems continue

the_rock — Mon, 15 Dec 2025 19:32:44 GMT

In the meantime, maybe check this link, just to make sure the steps were followed.

https://community.checkpoint.com/t5/Security-Gateways/HowTo-Set-Up-Certificate-Based-VPNs-with-Check-Point-Appliances/td-p/73299

Re: S2S VPN problems continue

the_rock — Mon, 15 Dec 2025 19:45:04 GMT

I also attached a doc I got from community while ago about this.

Re: S2S VPN problems continue

StevePearson — Tue, 16 Dec 2025 09:46:51 GMT

Thanks Andy, I've had a look at this and the previous link. The link refers to CP to Cp connections so nothing much in there, but this document is interesting. It details adding topology on the Interop device, which I've never had to do in the past but may be worth a try!

I've also had info back from the PA end, the error they are seeing is "RSA_verify failed on 256 bytes sig using SHA256", It then falls back to SHA1 and fails again in the same way.

I've opened a ticket with collaborative support now to see what they come up with.

Re: S2S VPN problems continue

the_rock — Tue, 16 Dec 2025 11:49:23 GMT

Just wondering...is it possible certificate itself might be using wrong auth methods?

Re: S2S VPN problems continue

RS_Daniel — Tue, 16 Dec 2025 13:17:33 GMT

Hello Steve,

Your configuration looks good to me. Were you able to collect a debug during the failed negotiation? you can check the certificates you send with ikeview utility and there you will know if the issue is on CP or PA side. The file you must open on ikeview changes depending on the version of IKE and version of the gateway. See sk30994

https://support.checkpoint.com/results/sk/sk30994

Regards

Re: S2S VPN problems continue

StevePearson — Tue, 16 Dec 2025 15:27:09 GMT

I didn't think so as it works when initiated from the PA end

Re: S2S VPN problems continue

the_rock — Tue, 16 Dec 2025 15:29:24 GMT

Might be worth simple vpn debug:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

fw ctl debug 0

Look for vpnd and iked* files in $FWDIR/log dir