This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
agilberti
Explorer
‎2022-10-10 08:47 AM

VPN Communities certificate problem

Hi, from last friday we have problem with vpn configured by communities.

there are problem during IKE phase with certificate

error vpn console1_mod.JPGerror vpn console2_mod.jpg

I try to disconnect gateways from console, reinitialize certificates and reconnect.

I try also to cancel community and ricreate but all attemps don't work.

The communities are configure in star or mesh VPN Type but none work.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2022-10-10 12:24 PM

The error message is pretty clear: "main mode cannot complete certificate chain."
That points to an error with the Certificate Authority key you've imported.
If the CA key is not a root CA (i.e. it's signed by another CA key), you need to include the entire certificate chain in the .p12 file you import (meaning the public CA key you care about along with all the public CA keys required to validate that signature).

0 Kudos
agilberti
Explorer
‎2022-10-10 03:17 PM
In response to PhoneBoy

Gateways involved until friday work fine i don't make any change.

Our gateways are 600, 700 and 1500 series locally managed by Quantum Sparks SMP.

Where i find CA key? on SMP?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-11 11:33 AM
In response to agilberti

This is for the CA key that you are using to authenticate the VPN, which I believe is configured in SMP.
If it's the internal CA you're using, then you'll probably need the TAC to assist in resolving this issue. 
If it's a different CA, then you'll have to see if the gateways can (among other things) reach the CRL specified as part of the public key. 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-10-11 04:04 PM
In response to agilberti

As I explained in the other thread there was an event on Oct 6 that may require you to take some action, refer:

https://status.checkpoint.com/

CCSM R77/R80/ELITE
0 Kudos
Amir_Ayalon
Employee
Employee
‎2022-10-11 03:08 PM

Hi

There are a few suggested ways to handle this issue:

From the web UI: Disconnect from SMP, remove the old trusted CA, reconnect to SMP

  1. Connect to the GW using web UI
  2. Stop cloud services – This is needed because otherwise the old certificate is locked to SMP and cannot be deleted
  3. Remove the old SMP trusted CA (expires in 2027)
  4. Reconnect to cloud services
  5. Verify the updated SMP certificate exists (expires in 2032) and VPN tunnel is working as expected

 

if this doesn't work, please open a TAC case, there are more advanced ways to solve it.

 

Thanks

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-13 12:18 PM
In response to Amir_Ayalon

SK about this issue: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events