Hello PhoneBoy,

Thanks for your inputs as you mentioned I have generated a new CSR and also got it signed from our CA (in this case it was our Microsoft Team), Everything was proper I uploaded the certificate and completed the CSR process however in the existing gateway the certificate has live WAN virtual IP in it under SAN and in the certificate that i generated for new GW doesn't have the IP in it. Just want to know if we migrate at this point will the DAIP VPN renegotiate automatically with new GW as the certificate has same DN details and Issuer details on the new certificate. Only thing that's missing is the Subject Alternative Name "IP Address : Live WAN-VIP"

I need clarification on this point as this is a critical migration, and your help is highly appreciated.

Im sure Phoneboy will confirm, but to me, logically, does not sound that would work at all, if right IP is not listed.

Andy

Hello the_rock,

This is exactly what I thaught but i do have one more query as to why did the signed certificate did not have the WAN IP in it ? As while generating the CSR i have selected the same trusted CA server which is used for live gateways and also have replicated the same DN details into it, is it possible that due to WAN interfaces was physically disabled on maestro due to that the CSR was not able to pull the IP details into it? or could it be that while signing the certificate we have to mention the SAN details explicitly not sure about this.

Im not expert by any means when it comes to certificates (never was), but to me, sounds like there could be 2 reasons:

1) CSR did not include the right IP

2) SAN must be defined 

Andy

Hello PhoneBoy,

I completely agree with your point but in this case the peer Gateway will be having dynamic IP and the local GW (live DC 5600 cluster) has a single WAN IP. The certificate that is being uploaded on both end Peer and Local is signed by same Trusted CA 

Even so, the (lack of) SAN IP hasn't presented an issue that I'm aware of.
If you want 100% confirmation, check with TAC.

Hello ALL,

Just want to clarify and update on this case

The SAN does matter as when we generated the new csr got it signed and uploaded on both gateways (Peer and Local) the tunnel was not coming up.
On further troubleshooting i cam across one particular step while generating new CSR which is when we enter the CN details there is a checkbox of "Alternative Name" when i clicked it it opened a new popup where we can ADD tha SAN details ourselves with FQDN & IP, based on my requirement i selected IP and added my WAN IP and the generated the CSR now once it gets signed i will complete the certificate procedure and then upload the new certificate on the peer device as well post this i think the issue should get resolved.

However, i would like to highlight that this setting and configuration is not at all mentioned in any documentation that Check Point provides on their website which is weird as to why they would not highlight such a critical part in regards to certificates.

Thanks for the update!

The FQDN definitely needs to be there.
What I was questioning was the IP, which is going to change in a DAIP configuration.

Hello PhoneBoy,

the IP will change but only on peer end

on local GW the IP will remain same and it will be the WAN ip not the fqdn (in my case) 

So how it works is the peer will have same certificate on their DAIP devices where they will know exactly which IP to reach out to for tunnel key installation.

Above is my assumption, please feel free to correct if any thing wrong.

PS: the issue got solved and tunnels are up now.