Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckMate-R77
Contributor

R80.10 VPN site-to-site certificate problem

After upgrading Security Gateway from R77.30 to R80.10 we have lost VPN site to site connectivity using certificates. In log we have found something like this:

Main Mode Issuer CN=RootCA.something*,OU=something,O=something,L=something,ST=something,C=PL is not a CA.

and then:

Main Mode Sent Notification to Peer: invalid certificate

In vpnd.elg we have also found:

CA certificate CN=RootCA.something,OU=something,O=something,L=something,ST=something,C=PL does not contain a BasicConstraints extension.

I attached the vpnd.elg file for details.

In R80.10 Relase Notes and any other docs there is no word about such issues when upgrading from R77.x to R80.10. What's wrong?

Thanks in advance for Your support

Regards

Mirek

*) something is used here for example only to hide details

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I would engage with the TAC on this.

I hadn't heard of any issues cropping up with VPNs after upgrading to R80.10.

This sounds like an issue with the internal CA, though, and possibly regenerating and reexchanging certificates would solve the issue.

0 Kudos
CheckMate-R77
Contributor

Temporarily we have switched from certificates to preshared key to restore VPN connectivity. We think it's all about lack of BasicConstraints extension. We will follow Your advise.

Thanks a lot

Regards

Mirek

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events