This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Terri_Hawkins
Collaborator
‎2022-10-05 06:11 AM
Jump to solution

Automatic Certificate Renewal for IPSec VPN Stopped Working

Hello,

I have a Checkpoint 15400 Device running R81 (one hotfix behind). I also have roughly 100 small business appliances which connect to it using IPSecVPN.  These are a mix of 1430 and 1530 devices and I recently (a month maybe) upgraded all of these with the newest hotfixes (1430 is 77.20.87 and 1530 is 80.20.40). Everything has been working fine with these devices for years as far as the certificates went, but suddenly the automatic certificate renewal is not working.

According to https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?topic=documents/R7... the renewal process is supposed to be automatic when 75% of validity is reached.

When our primary gateways (the 15400s) came close to expiring, it did not automatically renew.  I waited until a couple of days before it was going to expire and then did it manually (hopefully that did not put our entire internal_ca into a manual renew state). Now our SBA seem to be having the same issue.

The specific error message I see in the log files is: Auth exchange: Sending notification to peer: Authentication failed MyAuthMethod: Certificate

I checked out this article on Checkmates but it was a communication issue, and I am able to communicate back and forth, my certificate is expired. https://community.checkpoint.com/t5/Security-Gateways/IPSEC-site-to-site-VPN-fails-after-R80-20-upgr...

My questions are:

1. Is anyone else having issues with the internal_ca and automatic renewal? If you did and fixed it can you share how?

2. Did me manually doing the primary cluster change everything to a manual process?

3. Is there a command I can run which would list the gateways and when they are due to renew? I'd like to manually renew them before their tunnels go down if possible. 

4. Anything else you want to share is also appreciated, I may be tackling this completely from the wrong angle. 🙂

Thank you so much for any assistance. 

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2022-10-07 03:02 AM
Jump to solution

See sk158096: How to renew an Internal Certificate Authority (ICA) certificate !

You seem to missunderstand the Internal CA and Certificate Based IPSec VPN. Internal CA is used for S2S and RA VPN certs on all GWs managed by the same SMS!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
1 Reply
G_W_Albrecht
Legend Legend
Legend
‎2022-10-07 03:02 AM
Jump to solution

See sk158096: How to renew an Internal Certificate Authority (ICA) certificate !

You seem to missunderstand the Internal CA and Certificate Based IPSec VPN. Internal CA is used for S2S and RA VPN certs on all GWs managed by the same SMS!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events