Thread: invalid certificate - no vpn tunnel
View Single Post
  #1 (permalink)  
Old 2009-07-01
doeffel doeffel is offline
Junior Member
  
Join Date: 2007-10-09
Posts: 4
Rep Power: 0
doeffel has an average reputation (10+)
Default invalid certificate - no vpn tunnel
Hi everybody, I'am a Newbie in checkpoint configuration.

I want to setup a vpn between to Nokias NGX R61.

One Nokia is a standalone installation and works as smartcenter server for the second Nokia.

the remote Nokia is connected to a zyxel Router which works with vpn passthrough, so all traffic goes directly to the Nokia via a transfer lan.

Now my problem: VPN Phase 2 fails, main mode works fine, but then I get "invalid certificate".

I have already checked Time on the 2 boxes, and traffic between the boxes any service is allowed.

Can anyone help me ?

I have checked log on remote gateway and found this:

<eth1c0 service_id: FW1_ica_services; src: 192.168.1.2; dst: 192.168.179.18; proto: tcp; rule: 0; message_info: Implied rule; product: VPN-1 & FireWall-1; service: FW1_ica_services; s_port: 2889;

Seems to me the remote gateway tries to communicate with smartcenter Server via the transfer-lan and not with official IP's and then this:

>daemon src: official IP perimeter Gateway; dst: official IP remote Gateway; peer gateway: official IP perimeter Gateway; scheme: IKE; IKE: Main Mode Validation timed out.; CookieI: b1b32cfad011e233; CookieR: f415332b92dc7725; methods: 3DES + SHA1, RSA signatures; community: Spain; reject_category: Gateway to Gateway authentication failure; fw_subproduct: VPN-1; vpn_feature_name: IKE; product: VPN-1 & FireWall-1;

>daemon src: official IP remote Gateway; dst: official IP perimeter Gateway; peer gateway: official IP perimeter Gateway; scheme: IKE; IKE: Main Mode Sent Notification to Peer: invalid certificate; CookieI: b1b32cfad011e233; CookieR: f415332b92dc7725; community: Spain; fw_subproduct: VPN-1; vpn_feature_name: IKE; product: VPN-1 & FireWall-1;

also logging is not possible because the remote gateway tries to communicate with smartcenter Server via the transfer-lan and not with official IP's

<eth1c0 service_id: FW1_log; src: 192.168.1.2; dst: 192.168.179.18; proto: tcp; rule: 0; message_info: Implied rule; product: VPN-1 & FireWall-1; service: FW1_log; s_port: 2890;

Any Idea ?

I'have checked Checkpoint Knowledge base They write: " create a dummy-secondary Smartcenterserver" and implement Nat-Rules, but I can't create a secondary smartcenter server object in my rulebase.
Last edited by doeffel; 2009-07-01 at 14:03. Reason: new information
Reply With Quote