Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
agilberti
Explorer

VPN Communities certificate problem

Hi, from last friday we have problem with vpn configured by communities.

there are problem during IKE phase with certificate

error vpn console1_mod.JPGerror vpn console2_mod.jpg

I try to disconnect gateways from console, reinitialize certificates and reconnect.

I try also to cancel community and ricreate but all attemps don't work.

The communities are configure in star or mesh VPN Type but none work.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

The error message is pretty clear: "main mode cannot complete certificate chain."
That points to an error with the Certificate Authority key you've imported.
If the CA key is not a root CA (i.e. it's signed by another CA key), you need to include the entire certificate chain in the .p12 file you import (meaning the public CA key you care about along with all the public CA keys required to validate that signature).

0 Kudos
agilberti
Explorer

Gateways involved until friday work fine i don't make any change.

Our gateways are 600, 700 and 1500 series locally managed by Quantum Sparks SMP.

Where i find CA key? on SMP?

 

0 Kudos
PhoneBoy
Admin
Admin

This is for the CA key that you are using to authenticate the VPN, which I believe is configured in SMP.
If it's the internal CA you're using, then you'll probably need the TAC to assist in resolving this issue. 
If it's a different CA, then you'll have to see if the gateways can (among other things) reach the CRL specified as part of the public key. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As I explained in the other thread there was an event on Oct 6 that may require you to take some action, refer:

https://status.checkpoint.com/

CCSM R77/R80/ELITE
0 Kudos
Amir_Ayalon
Employee
Employee

Hi

There are a few suggested ways to handle this issue:

From the web UI: Disconnect from SMP, remove the old trusted CA, reconnect to SMP

  1. Connect to the GW using web UI
  2. Stop cloud services – This is needed because otherwise the old certificate is locked to SMP and cannot be deleted
  3. Remove the old SMP trusted CA (expires in 2027)
  4. Reconnect to cloud services
  5. Verify the updated SMP certificate exists (expires in 2032) and VPN tunnel is working as expected

 

if this doesn't work, please open a TAC case, there are more advanced ways to solve it.

 

Thanks

 

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events