Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Terri_Hawkins
Contributor

Automatic Certificate Renewal for IPSec VPN Stopped Working

Jump to solution

Hello,

I have a Checkpoint 15400 Device running R81 (one hotfix behind). I also have roughly 100 small business appliances which connect to it using IPSecVPN.  These are a mix of 1430 and 1530 devices and I recently (a month maybe) upgraded all of these with the newest hotfixes (1430 is 77.20.87 and 1530 is 80.20.40). Everything has been working fine with these devices for years as far as the certificates went, but suddenly the automatic certificate renewal is not working.

According to https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm?topic=documents/R7... the renewal process is supposed to be automatic when 75% of validity is reached.

When our primary gateways (the 15400s) came close to expiring, it did not automatically renew.  I waited until a couple of days before it was going to expire and then did it manually (hopefully that did not put our entire internal_ca into a manual renew state). Now our SBA seem to be having the same issue.

The specific error message I see in the log files is: Auth exchange: Sending notification to peer: Authentication failed MyAuthMethod: Certificate

I checked out this article on Checkmates but it was a communication issue, and I am able to communicate back and forth, my certificate is expired. https://community.checkpoint.com/t5/Security-Gateways/IPSEC-site-to-site-VPN-fails-after-R80-20-upgr...

My questions are:

1. Is anyone else having issues with the internal_ca and automatic renewal? If you did and fixed it can you share how?

2. Did me manually doing the primary cluster change everything to a manual process?

3. Is there a command I can run which would list the gateways and when they are due to renew? I'd like to manually renew them before their tunnels go down if possible. 

4. Anything else you want to share is also appreciated, I may be tackling this completely from the wrong angle. 🙂

Thank you so much for any assistance. 

0 Kudos
1 Solution

Accepted Solutions

See sk158096: How to renew an Internal Certificate Authority (ICA) certificate !

You seem to missunderstand the Internal CA and Certificate Based IPSec VPN. Internal CA is used for S2S and RA VPN certs on all GWs managed by the same SMS!

CCSE CCTE CCSM SMB Specialist

View solution in original post

0 Kudos
1 Reply

See sk158096: How to renew an Internal Certificate Authority (ICA) certificate !

You seem to missunderstand the Internal CA and Certificate Based IPSec VPN. Internal CA is used for S2S and RA VPN certs on all GWs managed by the same SMS!

CCSE CCTE CCSM SMB Specialist
0 Kudos