SecureRemote IKE issue

[shad007]

Hi all, first time poster =) (please forgive me if this is in the wrong forum but I thought Authentication was as good a place as any..)

Scenario.
I have just finished migrating from a Windows server based NG55 system to a Crossbeam C6 based NGXR62 system. The transition went relatively smooth considering the size of our site, however in the process it seems that I managed to break Remote access.

Problem.
When Clients connect via SecureRemote client using Username/Password authentication it fails with the following IKE msg:

"Negotiation with gateway xx.xx.xx.xx at site xx.xx.xx.xx has failed. VPN-1 Server could not find any certificate to use for IKE.

An interesting thing is that when I attempt to view the defaultCert under the Checkpoint Gateway VPN tab it comes up with an error: "Failed to read certificate from database"

Does this mean that I have a corrupted cert? I understand if this is the case that I may be able to simply remove it and it would recreate? need more info as if i remove it it will potentially break at least a dozen client IPSEC vpn's

[Thorpuse]

Did you change the IP address or hostname of the SmartCenter post-install? Sounds like your Root CA is invalid.

How did you perform the migration? If you were using the upgrade export/import tools, did the SmartCenter Server IP change for the new system?

[shad007]

Quote:

Originally Posted by Thorpuse

Did you change the IP address or hostname of the SmartCenter post-install? Sounds like your Root CA is invalid.

How did you perform the migration? If you were using the upgrade export/import tools, did the SmartCenter Server IP change for the new system?

I didnt originally use the export tool (primarily due to the fact I wasnt aware of it's existence). Is there some way to use the tool on the old firewall to extract the correct Root CA? or am i going down the wrong path? The IP of the Smartcenter did change post-install from memory.

Also i've found some more possibly helpful info:
When viewing the Certificates list inside the checkpoint software it says that the CA is the defaultCert 'internal_ca' yet when running a cpconfig from the linux root it and selecting option 8 from the menu (Certificate Authority) it lists a different certificate? It looks to me like the linux box has the right certificate, however the checkpoint software running on the management box has the wrong one? =/

"be gentle" :)

[MarioL]

If you created a new config from scratch you might need to either:
- Update the site on SR (don't think will work)
- Delete and re-create the site on SR

Make sure your firewall object has VPN ticked and has a certificate created under the VPN tab. (well there is more to check, but this is a start)

[shad007]

Quote:

Originally Posted by MarioL

If you created a new config from scratch you might need to either:
- Update the site on SR (don't think will work)
- Delete and re-create the site on SR

Make sure your firewall object has VPN ticked and has a certificate created under the VPN tab. (well there is more to check, but this is a start)

When you say update the site on SR are you referring to the SecureRemote client side? if so, that's been done. The firewall does have VPN ticked, and there is a certificate under the VPN tab, however it cannot read this certificate "Failed to read certificate from database".

[MarioL]

Sounds like you have SIC problems, try removing that cert and creating a new one. After this re-create the sites on the remote users.

[shad007]

Quote:

Originally Posted by MarioL

Sounds like you have SIC problems, try removing that cert and creating a new one. After this re-create the sites on the remote users.

Thanks. I managed to fix it by removing the firewall object from all 7 of our IPSEC tunnels, renewing the cert (had to change it's name) then reinserting the firewall object back into the VPN sites.

[MarioL]

Cool, glad it's sorted ;)