Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ilovecheckpoint
Participant

New VPN site to site on the same domain "Main Mode Sent Notification to Peer: invalid certificate"

Hello,

I have just installed a firewall on an existing MDS domain.

I haven't specified the PSK key, as it needs to use certificate authentication.

 

This is the message seen on new gateway:  Main Mode Sent Notification to Peer: invalid certificate

This is the log on old gateway:   Phase1 Received Notification from Peer: invalid certificate

It reaches the crl.

What could be the cause?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

What's the version/JHF level?
Did you push policy to the old and new gateways?

0 Kudos
Ilovecheckpoint
Participant

Hello, 

Both gateways version R81.20 Jumbo 65 and on the other one 26. Installed policy on both.
The communication to the management is via Internet and there is a firewall which protects it.
The new firewall is configure to have a private ip natted to public one, to go on Internet.
On gateway object, I configured under vpn link selection use Ip selection by remote peer, always use as statically natted ip, its public one.
As source ip address,I selected manually on the topology, using the internal ip address which is nattet to the public ip. 
I configured master file to use public management and log ip addresses and on vpn excluded services, FW ICA is excluded.
The vpn to management works, but communication to crl does not happen and no log seen on management firewall about it.

0 Kudos
the_rock
Legend
Legend

I would start with basic debug

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

check vpnd and iked files in $FWDIR/log

0 Kudos
AmirArama
Employee
Employee

sometimes just renewing the certificate on both peers resolves such issues.

if that won't help, verify crl check is made and to what IP, and if communication works bi directional by running: 'tcpdump -nnei any port 18264'

if that is not the issue, i agree to continue with vpn debug on both sides.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events