Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Eichelbu
Advisor

How the firewall selects its available certificates for VPN?

Hello Check Mates, 

a question for an issue i have seen several times so far
Somehow, out of a sudden a VPN gateway tries to establish a VPN tunnel with the "wrong" certificate ..


In the latest occurance the issue started without any plausible root cause.
The VPN was no longer working after a policy install. Nothing critical has been changed.
In the logs we saw "invalid certificate" messages
Iam very sorry i have no good screenshots or logs to share ... 

In Ikeview we saw the local ICA certificate and a third party IPsec certificate, nothing really strange.
the third  party certificate is used for remote access only! All VPN´s are made with PSK, only the VPN inside the own MGMT is of course using the interal CA.

most likey it was:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

and

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
perhaps when the peer gateway has problems to reach the interal CA it falls back to any other CA? 

it seems easy to solve, and i can remember i fixed the issue once by running through this SK.

but i have some follow up questions, maybe you guys can enlighten me:

+  how the gateways determines what certificate it has to use? iam pretty sure it will offer all available certificates to its peer, and if one of those CA´s can be validated a tunnel can be formed... if the ICA is not reachable and the other certificates fails to be valdidated, no tunnel. But how is the process really?

 + if i have many certificates running on my gateway, is there a way to set a priority or set the certificate hard coded?
i know you can set the "match criteria" button on an external managed GW and the button "tradition mode" the SK 323648 is reffering too. But is there a better way?

+ since the SK refers to a "Traditional Mode configuration" setting, why is it still working?

i hope you have some good answers for this!


best regards
Thomas

0 Kudos
7 Replies
the_rock
Legend
Legend

I carefully read your description and I find this very odd, to say the least. Here is where I would start...are you having issue with just a particular tunnel or all more than one when this happens? For VPN cert, just make sure its valid under gateway object -> VPN...its valid for 5 years if Im not mistaken. If this happens with multiple sites and multiple gateways, then its possible is ICA issue.

0 Kudos
Thomas_Eichelbu
Advisor

Hello, 

well in this particular case it was only one tunnel out many ... all tunnels on this customer for its own peer have indepedent vpn communities. so one peer per community ... all tunnels UP, only one Check Point ot Check Point is down


And those peers use link selection, one link is MPLS and other is internet, in HA i think.
of course all certificates are valid, nothing has expired and we reissues the IPSec certificate on the remote peer too!

i dont think the CA is affected, its more likely a communication issue between remote peer and internal CA which might triggers this behavior... but i see prove for that ...
we will try to fetch the CRL via curl_cli then we will see.

best regards

0 Kudos
_Val_
Admin
Admin

Before answering your questions, some clarification:

  1. Which certificate, ICA or third party, was used for the tunnel on this GW? 
  2. Which part is reporting "Invalid certificate"?
  3. Did you change anything on your networks that would prevent CRL connectivity?
0 Kudos
Thomas_Eichelbu
Advisor

Hello Val, regarding your questions.

  1. Which certificate, ICA or third party, was used for the tunnel on this GW? 
    -> only the internal Check Point CA, 

  2. Which part is reporting "Invalid certificate"?
    -> well i have to less logs and debugs to make a qualified statement about that.
    i need to arrange the collection of more logs
    the remote peer says "invalid certifcate" it wants to validate the third party certificate, and fails.

  3. Did you change anything on your networks that would prevent CRL connectivity?
    -> since i know, not at all. as i said out of a sudden after a policy installing applying a "normal" access policy.
0 Kudos
_Val_
Admin
Admin

Ok, so no third party certs. Check you can reach CRL from the GW which refuses the cert. CRL is cashed fro 7 days, so it is normal if your VPN failure does not correlate with any recent changes

0 Kudos
Thomas_Eichelbu
Advisor

Hi, 

yes i asked the customer to check this ... if the ICA is reachable via MPLS and Internet as well ... 
i have only received logs from the central VPN gateway ... 
for example ... since it is so many ...

208.44.YY.ZZ -> is the remote external IP
192.168.254.XX -> is the remote internal MPLS IP
both are in link selection, in HA, 192.168.254.XX is set to primary.

[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] New TransportConnection (9765669 Total: 25)
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] UDPConnection::UDPConnection: Enter (copy ctor) peer: 192.168.254.62
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] UDPConnection::UDPConnection: conn.m_txSocket: 0x1b1ee458, 0x1b17fc20.
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] GetEntryIsakmpObjectsHash: received ipaddr: 192.168.254.XX as key, found fwobj: FW-USAM
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] extended_log_info_create, entered.
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_ROLE_START > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_ROLE_RESPONDER > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] FwIkeResponder: entering
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] FwIkeResponderOnEnter: idRanges NOT USED mine [0-0] peer's [0-0]
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] findSAByPeer: Find SA with cookies 5362e2e0f6a51e6b,30eb62504c4a471e from packet
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] findSAByPeer: ISAKMP SA was found
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] ResponderOnEnter: create new p1state
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] GetEntryIsakmpObjectsHash: received ipaddr: 208.44.YY.ZZ as key, found fwobj: FW-USAM
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] ResponderOnEnter: set peer ike port to: 500
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] ResponderOnEnter: client mode: 0
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] GetEntryIsakmpObjectsHash: received ipaddr: 208.44.YY.ZZas key, found fwobj: FW-USAM
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] GetEntryCommunityHashX: received ipaddr: ZZ.YY.44.208 as key, found community: vpn_USAM-1
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] FindCommonCommunity: Found common community (IPv4 addr=XX.YY.44.208) (vpn_USAM-1) for FW-USAM
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] FwIkeNewPhase2State: Community uses profile custom_profile
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_EXCH_START > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_EXCH_INFORMATION > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_PACKET_START > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_INFO_RESPONDER > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] ProcessInfoHeader: peer sent non-encrypted info-exchange while ISAKMP SA exists.
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] ProcessInfo: enter
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] fwIsakmp_ProcessInfoExc entering
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] -- updatePayloadMap: received payload PA_NOTIFY.
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] ProcessInfo: identifyPayloads succeeded.
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] processNotifyPayload: protocol: 1
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] processNotifyPayload: notify type: 20

[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] Peer d02c0b1e says: Received Notification from Peer: invalid certificate

[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] Received Notification from Peer: invalid certificate
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] extended_log_info_build_reason_from_list: list is empty,
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] isakmpd_log: calling isakmpd_log with original reason=(Phase1 Received Notification from Peer: invalid certificate)
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] GetDAGIP: ID d02c0b1e not in DAIP range
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] CFwdCommStreamLocal::Write called
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45] CFwdCommStreamLocal::Write sent 220 bytes
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_PACKET_END > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_EXCH_END > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] < FWIKE_ROLE_END > Id = 1699451
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] TalkToEngine: Engine RC is << FWIKE_RCV_NOTIFY >>
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] TalkToEngine: received Notification from peer
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: Killing negotiation 1699451 (0x1b1ca478) ...
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: p2state isakmp sess id:
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: machine state -exchange: 0
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: machine state -packet: 0
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: marcipan state: 0
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: status: 0
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: cookieI e0e262536b1ea5f6
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: cookieR 5062eb301e474a4c
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] KillNegotiation: fwisakmp error type: 0, code: 20
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] NegotiationTable::DeleteNegotiation: Invoked for:
[vpnd 23263 4092643232]@FW-BR-MB[8 Jul 13:56:45][tunnel] neg ptr: 1b1ca478 ass: 1b2ac088 wait4: 0

what key words i should search for?

0 Kudos
jeannotx
Explorer

same problem here, any ideas?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events