[laurent]

This is actually the certificate of the gateway cluster. The internal CA certificate is still valid.

I renewed it this morning but experienced a VPN problem (I know this may not be the right place to discuss this issue...) : no IKE negotiation possible anymore.
After restoring the precedent config (with former invalid certificate) the problem persisted.
The solution applied consisted in "widening" the Diffie Hellman groups and adding DH-1 and DH-5 to the default DH-2. It is important to note that those 2 added groups (DH-1 and DH5) were not activated before the certificate renewal.

The logs showed errors with the following messages :

- encryption fail reason: Packet is dropped because there is no valid SA
- IKE: Main Mode no common authentication methods between myself and peer
- encryption failure: Error occurred
- IKE: Main Mode Failed to match proposal: 3DES, SHA1, Pre-shared secret, Group 2 (1024 bit)
- encryption failure: Unknown SPI: 0x533871c7 for IPsec packet

Does someone could help me with the following questions :

- Why was it impossible to have any IKE negotiation after the certificate renewal ?
- Why does the rollback (using Database Revision Control) did not work ?
- Why does the DH-1 and DH-5 added group solved the problem ?