https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159475#M7567 <P>SK about this issue:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk180117" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk180117</A>&nbsp;</P> Thu, 13 Oct 2022 19:18:35 GMT PhoneBoy 2022-10-13T19:18:35Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159163#M7535 <P>Hi, from last friday we have problem with vpn configured by communities.</P><P>there are problem during IKE phase with certificate</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error vpn console1_mod.JPG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18081i723724805598B033/image-size/medium?v=v2&amp;px=400" role="button" title="error vpn console1_mod.JPG" alt="error vpn console1_mod.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error vpn console2_mod.jpg" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18082i4819109AD5B376AD/image-size/medium?v=v2&amp;px=400" role="button" title="error vpn console2_mod.jpg" alt="error vpn console2_mod.jpg" /></span></P><P>I try to disconnect gateways from console, reinitialize certificates and reconnect.</P><P>I try also to cancel community and ricreate but all <SPAN class=""><SPAN class=""><SPAN class="">attemps don't work.</SPAN></SPAN></SPAN></P><P><SPAN class=""><SPAN class=""><SPAN class="">The communities are configure in star or mesh VPN Type but none work.</SPAN></SPAN></SPAN></P> Mon, 10 Oct 2022 15:47:06 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159163#M7535 agilberti 2022-10-10T15:47:06Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159184#M7538 <P>The error message is pretty clear: "main mode cannot complete certificate chain."<BR />That points to an error with the Certificate Authority key you've imported.<BR />If the CA key is not a root CA (i.e. it's signed by another CA key), you need to include the entire certificate chain in the .p12 file you import (meaning the public CA key you care about along with all the public CA keys required to validate that signature).</P> Mon, 10 Oct 2022 19:24:20 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159184#M7538 PhoneBoy 2022-10-10T19:24:20Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159199#M7540 <P>Gateways involved until friday work fine i don't make any change.</P><P>Our gateways are 600, 700 and 1500 series locally managed by Quantum Sparks SMP.</P><P>Where i find CA key? on SMP?</P><P>&nbsp;</P> Mon, 10 Oct 2022 22:17:00 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159199#M7540 agilberti 2022-10-10T22:17:00Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159276#M7549 <P>This is for the CA key that you are using to authenticate the VPN, which I believe is configured in SMP.<BR />If it's the internal CA you're using, then you'll probably need the TAC to assist in resolving this issue.&nbsp;<BR />If it's a different CA, then you'll have to see if the gateways can (among other things) reach the CRL specified as part of the public key.&nbsp;</P> Tue, 11 Oct 2022 18:33:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159276#M7549 PhoneBoy 2022-10-11T18:33:08Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159298#M7550 <P>Hi</P> <P>There are a few suggested ways to handle this issue:</P> <P>From the web UI: Disconnect from SMP, remove the old trusted CA, reconnect to SMP</P> <OL> <LI>Connect to the GW using web UI</LI> <LI>Stop cloud services – This is needed because otherwise the old certificate is locked to SMP and cannot be deleted</LI> <LI>Remove the old SMP trusted CA (expires in 2027)</LI> <LI>Reconnect to cloud services</LI> <LI>Verify the updated SMP certificate exists (expires in 2032) and VPN tunnel is working as expected</LI> </OL> <P>&nbsp;</P> <P>if this doesn't work, please open a TAC case, there are more advanced ways to solve it.</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Tue, 11 Oct 2022 22:08:54 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159298#M7550 Amir_Ayalon 2022-10-11T22:08:54Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159299#M7551 <P>As I explained in the other <A href="https://community.checkpoint.com/t5/SMB-Gateways-Spark/SMP-smbmgmtservice-moving-to-AWS/td-p/156970#M7368" target="_self">thread</A>&nbsp;there was an event on Oct 6 that may require you to take some action, refer:</P> <P><A href="https://status.checkpoint.com/" target="_blank" rel="noopener">https://status.checkpoint.com/</A></P> Tue, 11 Oct 2022 23:07:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159299#M7551 Chris_Atkinson 2022-10-11T23:07:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159475#M7567 <P>SK about this issue:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk180117" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk180117</A>&nbsp;</P> Thu, 13 Oct 2022 19:18:35 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/VPN-Communities-certificate-problem/m-p/159475#M7567 PhoneBoy 2022-10-13T19:18:35Z