This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
klps
Explorer
Thursday

CP-to-CP Site-to-Site VPN woes

Been trying to figure this out for a couple weeks now and getting nowhere.

Running R81.20 on all devices.

2 5200's in a cluster we'll call FW-HA, FW-MGMT server behind them

A new 6200 at a remote site called FW-DR

Have everything communicating and looking good for policy pushing but can't get the VPN to come up

Key install logs from FW-HA side have IKE showing  Phase1 Received Notification from Peer: invalid certificate

Key install logs from FW-DR side show Main Mode Sent Notification to Peer: invalid certificate

Also have a reject showing in the logs from FW-DR trying to communicate with FW-HA citing a gateway to gateway authentication failure and under IKE "Main Mode Could not retrieve CRL.CN=FW-HA VPN Certificate,O=FW-MGMT"

We have an existing star network VPN to a CP appliance that is working that I've tried adding FW-DR as an additional remote site to with same results, have tried matching all NAT and security rules to be like the functioning VPN with no change.

Unsure of where to go from here. Thanks

To add, I have tried https://support.checkpoint.com/results/sk/sk32648 but oddly I don't see any communication port 18264 whatsoever between any of our gateway's and the management server even for everything that's working as it should. And I can't apply https://support.checkpoint.com/results/sk/sk66381 as I get the error "applying NAT on security gateway control connections is allowed only when the rule is installed on a single gateway", but also our other gateway and it's VPN work fine without this

Labels
0 Kudos
3 Replies
Lesley
Leader Leader
Leader
Thursday

Have you checked if the VPN certificate is still valid?

You can see that if you open the FW object in SmartConsole under ipsecVPN and then renew/view

Maybe worth renew it anyway on both members (after renew policy push). 

Try to see the CRL traffic with tcpdump to be 100% sure it is sending yes or no. And if other side get's the traffic.

Sometimes firewall tries to do CRL via VPN tunnel towards management system that will create a looping issue 😉 

tcpdump -nnei any port 18264

-------
If you like this post please give a thumbs up(kudo)! 🙂
JozkoMrkvicka
Authority
Authority
Thursday
In response to Lesley

Exactly, there will be some issue with CRL and/or certificates between MGMT and FWs. If FW-HA and FW-DR are managed by the same FW-MGMT, for VPN establishment the certificates and used (not pre-shared keys).

It can also happen that ICA cert on MGMT is expired.

There might be some communication dropped (tcp/18264) between FWs and MGMT which is used for CRL downloads.

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
Legend
Legend
Thursday

I agree with the points made. If you renew vpn certs and test, may start working. If not, then do simple debug as per below and examine vpnd and ike* files in $FWDIR/log

Andy

vpn debug trunc

vpn debug ikeon

-test traffic

vpn debug ikeoff

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events