It is not a production case. I was just testing in my LAB.
That's why I am using this way to inform people about this issue. Somebody should test it to confirm

I have been using certificates for VPN authentication since R80 version. I have always worked using the same method. Even with the R77.30, the method is quite the same (with some differences in language and interfaces.)

This time, to be sure my platform was working OK, I made the test  using certificates with the R81.20 version. A successful test.

Unless the way of exchanging certificates has changed since R82 version, there is a problem when exchanging certificates for creating new VPN tunnels.

It is hard to believe nobody has already test it.

I really cant confirm that, sorry...lets see if anyone else might know.

Just to show how simple is the authentication by certificates. It should work this way, and it is not working in R82 version:

• First, you save your certificate. You are going to share this certificate with the distant site:

•  Then, you use the certificate shared by the distant site, to create a new "Trusted CA" ( as "External Check Point CA")

 By clicking on "Get" on the "External Check Point CA" tab, you will select the distant site certificate that have been shared by your partner. 

And that's it. Don't forget to uncheck "Use only share Secret for all External members" in the community and if there is already a tunnel built on the community (same tunnel), use vpn tu in order to delete the previous tunnels (IPsec + IKE SAs)

For me it is a mystery that authentication by sharing certificates is not working anymore since the R82 version.

I haven't tested what happen when a tunnel is already built with certificates before upgrading from R81.20 to R82. 

Best regards

Miguel

Let me see if I can test this in the lab. I had this working before and when I upgraded to R82, it still worked fine.

Is your CRL reachable/resolvable? Have you tried turning it off to see if it makes a difference?

I am not sure it is about a CRL issue. But I will test it next week. This week I am too busy
Thank you Alex

Hello,

I must say i have not tried with R82, but the steps i usually follow are quit different.

1. Importa external CA and create a Trusted CA object.
2. Go to local gateway object > IPsec VPN > Certificates repository. Click add and generate a CSR selecting the Trusted CA created on step 1. 
3. Send CSR to the peer to get it signed.
4. Import the signed certificate into IPsec certificates repository.
5. Go to external peer gateway object > IPsec VPN > Matching Criteria, select the external CA created on step 1. Fill up the match conditions, i usually use DN.
6. Push policy.

Hope this helps.

Regards

Hey, Same thing 😞

Hello,

The first log with error regarding CRL makes me think it is going in the rigth direction. On the trusted CA object go to OPSEC PKI tab and uncheck both options under Rretrieve CRL From section. Does it change anything?  You can check sk109139 for reference, it is the same logic but in the sk the certificates are signed by internal CA (management server) instead of the external CA, it should work no matter wich option you use.

Regards

Excellent Miguel, thanks for letting us know.

Hello RS_Daniel,

That is for a third part CA. 
My VPN tunnel is between to gateways managed by their own Check Point CA  each one (managed by their own SMS). 
The way of exchanging certificates is strait (no need to go to the repository)

It is about the R82 version issue rather than a configuration or procedure issue. 

I tried disabling CRL checking. One log was like this: "Auth exchange: Could not retrieve CRL.CN=sg1 VPN Certificate,O=sms1..b6gyro"...... without success

Best regards

Miguel