cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Meshed vpn netowrk with shared secret

Hi

I am trying to get a meshed VPN connection working between my 1340 (R77.20.1) and my central gateway (R80.10). I can not get the certificate login to work ( getting a Failed Log in) so I wanted to test to use Shared Secret.

Any one having a guide how to configure a meshed vpn network with Shared Secret?

In my system I do not have the option to create a shared secret in my R80.10 system, do i need to do perform something before I do this step?

4 Replies
Simon_Garay
Nickel

Re: Meshed vpn netowrk with shared secret

Hi Kristian, 

To add a shared secret it is necessary to have participants

http://dl3.checkpoint.com/paid/ea/ea41387591dcba2a8d551ba39084e9e6/CP_R80.10_SitetoSiteVPN_AdminGuid... 

Regards

0 Kudos
Admin
Admin

Re: Meshed vpn netowrk with shared secret

In addition, the peers must have a fixed IP address to use a pre-shared secret.

If they are configured with Dynamic Address, the gateways MUST authenticate with certificates.

0 Kudos

Re: Meshed vpn netowrk with shared secret

Then I need to go with the certificate solution, because i am going to have dhcp on the wan interface on some of the gw:s

0 Kudos

Re: Meshed vpn netowrk with shared secret

If both gateways managed by the same management server you can't user pre-shared secret for authentication. the only option is certificate. In your case I believe one of the devices can't reach the management server  to validate the certificate. The gws will reach the management server on TCP port 18264. the issue might be the management server doesn't have a public IP and if the management server has a public IP the 1430 might be trying to reach the private IP of the management server to validate the certificate.

There are couple solutions:

- Change the 1430 to be locally managed or managed by different management server you can use pre-shared key (if the 1430 has static IP)

- Disable CRL fetch mechanism in Guidbedit global or per gw which is not recommended.

- use  3rd party accessible certificate authority

Thanks

0 Kudos