Create a Post
Showing results for 
Search instead for 
Did you mean: 

Site to Site VPN between 2 Checkpoint Gateways and a Checkpoint SMS


I am trying to connect two gateways, a 3200 (remote) and a 12400 local to the SMS (virtual) by a site to site VPN.  Phase 1 IKE appears to succeed from the 12400 to the 3200.    Phase 2 fails.  The ike.elg file states INVALID-CERTIFICATE.  We tried renewing the certificate, modifying the $FWDIR/conf/masters file on the remote gateway and adding a rule from the remote gateway to the SMS for FW1_ica_services.  None of these have fixed the problem.  Does anyone know what the problem is?


0 Kudos
2 Replies

Did you renew the certificates in both gateway objects under IPSec-VPN?
Is your VPN Domain overlapping?
Regards, Maarten
0 Kudos

Faced the same issue and compile the following after solving:

Try to check if the peer gateway is able to reach the management server via telnet on 18264.

Also try to check on the Security Management Object IP(On Smartconsole) and see if that IP is reachable from the peer gateway or not. Try to resolve the connectivity issue from peer gateway to Management server object IP(don't forget NAT).

0 Kudos