Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Amber
Participant
Jump to solution

Capsule Connect VPN Issue(The site's certificate has expired)

Hi all,

I'm encountering a problem. I have a 5000 series gateway (R81.10) managed by SMS (R81.20). Last Friday, I renewed the VPN certificate for the 5000 series gateway. After renewing the certificate, both the IPsec VPN and the desktop Remote Access VPN client are working well.

However, VPN connections from mobile devices using Capsule Connect are not working. When attempting to connect via Capsule Connect, the client displays a message indicating that the site's certificate has expired.

Please suggest. Many thanks.

0 Kudos
1 Solution

Accepted Solutions
Amber
Participant

Many thanks to everyone for their help. I opened a technical ticket with Check Point support. They suggested using the command "#fw kill vpnd" to restart the VPN process. I tried it, and it worked. Thank you very much again.

View solution in original post

0 Kudos
9 Replies
the_rock
MVP Gold
MVP Gold

Hey Amber,

Can you have them try delete/re-create the site and test? Just have one or two random users do that.

Andy

0 Kudos
Lesley
MVP Gold
MVP Gold

You sure the clients trust the new certificate? 

https://support.checkpoint.com/results/sk/sk167255

Just to make sure you done policy push after cert renewal? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)
the_rock
MVP Gold
MVP Gold

Good points @Lesley 

0 Kudos
Amber
Participant

Hi Lesley,

When using Capsule Connect to establish a VPN connection, the self-signed certificate does not appear to trust. According to sk167255, the recommended solution is to add a third-party trusted certificate to the Mobile Access Blade.
May I kindly ask if it is possible to use the gateway’s self-signed certificate for Mobile Access instead?

Many thanks.

0 Kudos
Lesley
MVP Gold
MVP Gold

Hi

As user still is able not to trust a third party (not self-signed) certificate. If you import certificate without the Intermediate CA and only the certificate systems can complain about it: invalid certificate. Normally you import all Intermediate CA's including the certificate and not the root CA. You can also include root ca but that should not be needed as it is expected that all clients are known with the root ca. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
PhoneBoy
Admin
Admin

You can use the Internal CA for this, but for the error message to go away, the end user will have to manually configure the CA as trusted on their device.

0 Kudos
the_rock
MVP Gold
MVP Gold

I guess similar to ssl inspection...maybe not best comparison though.

0 Kudos
Amber
Participant

Many thanks to everyone for their help. I opened a technical ticket with Check Point support. They suggested using the command "#fw kill vpnd" to restart the VPN process. I tried it, and it worked. Thank you very much again.

0 Kudos
the_rock
MVP Gold
MVP Gold

Great! Thanks for letting us know, appreciated.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events