This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ilovecheckpoint
Explorer
‎2024-03-11 10:46 AM

VPN using certificates between two different Checkpoint domains

Hello,

I have two MDS domains,  so gateways are managed by a different SMS.

Between these gateways a vpn site to site is up and running on PSK.

I want switch from PSK to Certificate issue by Internal CA.

I imported the "partner" root CA on trusted CA OPSEC PKI server objects.

Error message, invalid certificate and invalid cookie.

Verificated root certificates MD5 fingerprints and it is fine.

What I have missed?

I found a guide but it is for SMB only.

 

0 Kudos
4 Replies
the_rock
Legend
Legend
‎2024-03-11 11:01 AM

Can you send a screenshot?

Andy

0 Kudos
RS_Daniel
Advisor
‎2024-03-11 11:15 AM

Hello,

On i think you have an externally managed vpn gateway object on each SMS. Di you configure certificate matching criteria on these objects? you should specify the CA the issued the certificate and the DN. Should be done on both sides.

 

MatchingCriteria.png

0 Kudos
Ilovecheckpoint
Explorer
‎2024-03-11 02:47 PM
In response to RS_Daniel

I have selected on each external managed gateways the certificate issue by the other internal domain CA and the DN, but no improvements. I will recheck the configuration and I will run a vpn debug, hoping ikeview will help. Thanks

0 Kudos
Ilovecheckpoint
Explorer
‎2024-03-15 07:49 AM
In response to Ilovecheckpoint

I deleted OPSEC PKI and created EXTERNAL CA trust server object and it works, traffic pass into vpn.

Anyway, the following message appears from time to time: "Certificate defaultCert cannot be validated. Could not retrieve CRL."

Executed telnet to management ip on port 18264 and it shows as open. Gateway is version 80.20. Any suggestion?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events