Hi,

We have two sites connected via a site-to-site vpn.

Site A has a cluster of two R81.20 open servers, Site B has a cluster of two cloudguard gateways in Azure also R81.10.

Management server is at Site A also R81.20.

Clients are connecting to Site A for Remote access VPN using personal certificate for authentication.

We wanted to investigate the possibility of using machine certificate authentication for client’s remote access.

From the Remote Access VPN Admin guide, Machine Certificate section (Machine Certificate (checkpoint.com) ), we followed the link to sk149253 on adding the root CA on the LDAP Server to the Trusted CA in Management. We successfully generated a certificate request for our internal CA server, generated a certificate and installed it on our gateway. So on Site A’s gateway we had two certs, the one from a 3^rd party (our own internal CA) that we just generated and the Checkpoint internal one.

After installing the policy on site A cluster, everything worked well. But after installing the policy on Site B, the site-to-site VPN went down. Only after we removed the new certificate from the Site A cluster and install policy on both sites did it came back.

Maybe the site-to-site vpn was trying with the wrong cert? Is there a place or setting for the site-to-site to specify which cert it should use?

thanks