This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ilovecheckpoint
Participant
‎2024-06-21 11:16 AM

New VPN site to site on the same domain "Main Mode Sent Notification to Peer: invalid certificate"

Hello,

I have just installed a firewall on an existing MDS domain.

I haven't specified the PSK key, as it needs to use certificate authentication.

 

This is the message seen on new gateway:  Main Mode Sent Notification to Peer: invalid certificate

This is the log on old gateway:   Phase1 Received Notification from Peer: invalid certificate

It reaches the crl.

What could be the cause?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2024-06-21 11:51 AM

What's the version/JHF level?
Did you push policy to the old and new gateways?

0 Kudos
Ilovecheckpoint
Participant
‎2024-06-22 02:48 PM
In response to PhoneBoy

Hello, 

Both gateways version R81.20 Jumbo 65 and on the other one 26. Installed policy on both.
The communication to the management is via Internet and there is a firewall which protects it.
The new firewall is configure to have a private ip natted to public one, to go on Internet.
On gateway object, I configured under vpn link selection use Ip selection by remote peer, always use as statically natted ip, its public one.
As source ip address,I selected manually on the topology, using the internal ip address which is nattet to the public ip. 
I configured master file to use public management and log ip addresses and on vpn excluded services, FW ICA is excluded.
The vpn to management works, but communication to crl does not happen and no log seen on management firewall about it.

0 Kudos
the_rock
Legend
Legend
‎2024-06-22 05:19 PM
In response to Ilovecheckpoint

I would start with basic debug

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

check vpnd and iked files in $FWDIR/log

0 Kudos
AmirArama
Employee
Employee
‎2024-06-23 11:05 AM

sometimes just renewing the certificate on both peers resolves such issues.

if that won't help, verify crl check is made and to what IP, and if communication works bi directional by running: 'tcpdump -nnei any port 18264'

if that is not the issue, i agree to continue with vpn debug on both sides.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top