Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CPRQ
Collaborator
Jump to solution

After rename the gateway IPSec tunnel issue

 
0 Kudos
1 Solution

Accepted Solutions
CPRQ
Collaborator

Issue is resolved after deleting old cert and creating the new one and initiate traffic through tunnel. Thanks for the help

View solution in original post

0 Kudos
5 Replies
CPRQ
Collaborator

After renaming the gateway the IPSec tunnel is not coming up. We did remove the the cert, generate and renewal the cert where the gateway name changed; and push policy on both gateways but no luck. Any idea?

0 Kudos
RamGuy239
Advisor
Advisor

Did you try to reset SIC as well? If you are talking about IP-sec VPN site-to-site tunnels using certificates you are most likely talking about VPN traffic between Check Point gateways managed by the same management server?

When verifying certificates all the gateways are communicating with the management. The SIC certificate between the management and the gateway is also tied to the hostname of the gateway. Might this be an issue where you have changed the hostname of the gateway without breaking and re-establishing SIC so this particular gateway is running into issues when it's trying to verify certificates by communicating with the management server?

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
CPRQ
Collaborator

Yes we did reset and established the SIC. Yes VPN-IPSec site to site tunnels using certificate and both gateways are under same management server. Thanks

 

0 Kudos
RamGuy239
Advisor
Advisor

Have you tried manually installing database on the management server and tried to push policy towards the other gateways making sure everything is aware of the change of hostname and certificates? This is the point where I would simply enable IKE-debug on the affected gateways, grab the ike.elg and inspect it using IKEview from Check Point to get a better understanding of what is going on.

It's so quick and easy to enable ike debug on the firewalls, and the ike.elg is so small and easy to understand by using IKEview (sk30994) it will often save me a lot of time when I'm confused about why a VPN-tunnel is not working.

Connect to the gateway using SSH and enable IKE debugging:

Expert mode
vpn debug trunc
vpn debug ikeon


Make sure to force the tunnel establishment. I will normally utilise vpn tu on the gateway.

vpn tu
7
TYPE IN THE IP OF THE PEER GATEWAY

Make sure some traffic is trying to pass through the tunnel so we know it's trying to re-establish itself.

vpn debug truncoff
vpn debug ikeoff


Grab the ike.elg from $FWDIR/log/ike.elg and open it using IKEview and look through the details and figure out where it's failing. It should provide you with plenty of details. Is it because of the certificate exchange or is it failing because of something entirely different?

It might be a good idea to do this on both sides of the VPN tunnel if you have SSH access to both. So do the same on both the gateway that you re-named, and one of the other gateways that it's having difficulties establishing a VPN-tunnel towards.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
CPRQ
Collaborator

Issue is resolved after deleting old cert and creating the new one and initiate traffic through tunnel. Thanks for the help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events