Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
velo
Contributor
Jump to solution

Disable CRL checking IPSEC S2S VPN

I recently discovered that if you're using certificate-based IPsec VPNs with the Security Management Server (SMS) as the CA (not using purchased certificates), your VPNs can experience outages if the SMS goes down. The default certificate cache duration is 24 hours, but if the cache is close to expiring (e.g., at 23 hours) and the SMS goes offline, VPNs may start dropping connections after just one hour. This happened to me. Even if I extend the cache to 120 hours, the same issue applies.

I've come across an article about disabling CRL checking, at least during SMS upgrades. Can I just clarify that if I am using the SMS as the internal CA (without purchased certs) Do I need to do steps 1,2,3 or just steps 1,2.

I asked because of this:

"Note: For the imported 3rd-party Trusted CA (OPSEC PKI) that is used for certificate based Site-to-Site VPN, you only need to follow the "Part 1" and "Part 3" of the procedure below to disable the CRL for the 3rd-party CA object."

https://support.checkpoint.com/results/sk/sk21156

 

Thanks

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Step 2 explicitly mentions the Internal Certificate Authority (ICA).
That means doing steps 1, 2, and 3.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Step 2 explicitly mentions the Internal Certificate Authority (ICA).
That means doing steps 1, 2, and 3.

0 Kudos
velo
Contributor

Perfect, thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events