Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ilovecheckpoint
Explorer

VPN using certificates between two different Checkpoint domains

Hello,

I have two MDS domains,  so gateways are managed by a different SMS.

Between these gateways a vpn site to site is up and running on PSK.

I want switch from PSK to Certificate issue by Internal CA.

I imported the "partner" root CA on trusted CA OPSEC PKI server objects.

Error message, invalid certificate and invalid cookie.

Verificated root certificates MD5 fingerprints and it is fine.

What I have missed?

I found a guide but it is for SMB only.

 

0 Kudos
4 Replies
the_rock
Legend
Legend

Can you send a screenshot?

Andy

0 Kudos
RS_Daniel
Advisor

Hello,

On i think you have an externally managed vpn gateway object on each SMS. Di you configure certificate matching criteria on these objects? you should specify the CA the issued the certificate and the DN. Should be done on both sides.

 

MatchingCriteria.png

0 Kudos
Ilovecheckpoint
Explorer

I have selected on each external managed gateways the certificate issue by the other internal domain CA and the DN, but no improvements. I will recheck the configuration and I will run a vpn debug, hoping ikeview will help. Thanks

0 Kudos
Ilovecheckpoint
Explorer

I deleted OPSEC PKI and created EXTERNAL CA trust server object and it works, traffic pass into vpn.

Anyway, the following message appears from time to time: "Certificate defaultCert cannot be validated. Could not retrieve CRL."

Executed telnet to management ip on port 18264 and it shows as open. Gateway is version 80.20. Any suggestion?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events