CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Installing And Upgrading
Will an expired VPN certificate be a problem for an update ? Will an expired VPN certificate be a problem for an update ?
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2008-04-17
Junior Member
  
Join Date: 2008-04-16
Posts: 3
Rep Power: 0
laurent has an average reputation (10+)
Default Will an expired VPN certificate be a problem for an update ?
Hello,

I'm performing an upgrade from R55 to R65 in a distributed environment. I just figured out that the VPN certificate of one of the clusters is expired since last January (I am an external in this company). However, VPN are established correctly, they only have an error message when compiling the policies.

So my two little questions are :

1) does the upgrade of the SmartCenter from R55 to R65 will succeed with this certificate issue ?

2) Can I change the certificate without impacting the VPN clients ? (normally yes but I would like a confirmation)

Thanks for your help guys,
Laurent
Reply With Quote
  #2 (permalink)  
Old 2008-04-17
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,670
Rep Power: 5
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: Will an expired VPN certificate be a problem for an update ?
Is it the CA cert (The one the SmartCenter) or the gateway's cert?

If it's the gateway's just issue a new one. Clients will auth based on the CA cert being good.

I would fix this before you try to upgrade anything.
Reply With Quote
  #3 (permalink)  
Old 2008-04-18
Junior Member
  
Join Date: 2008-04-16
Posts: 3
Rep Power: 0
laurent has an average reputation (10+)
Default Re: Will an expired VPN certificate be a problem for an update ?
This is actually the certificate of the gateway cluster. The internal CA certificate is still valid.

I renewed it this morning but experienced a VPN problem (I know this may not be the right place to discuss this issue...) : no IKE negotiation possible anymore.
After restoring the precedent config (with former invalid certificate) the problem persisted.
The solution applied consisted in "widening" the Diffie Hellman groups and adding DH-1 and DH-5 to the default DH-2. It is important to note that those 2 added groups (DH-1 and DH5) were not activated before the certificate renewal.

The logs showed errors with the following messages :

- encryption fail reason: Packet is dropped because there is no valid SA
- IKE: Main Mode no common authentication methods between myself and peer
- encryption failure: Error occurred
- IKE: Main Mode Failed to match proposal: 3DES, SHA1, Pre-shared secret, Group 2 (1024 bit)
- encryption failure: Unknown SPI: 0x533871c7 for IPsec packet

Does someone could help me with the following questions :

- Why was it impossible to have any IKE negotiation after the certificate renewal ?
- Why does the rollback (using Database Revision Control) did not work ?
- Why does the DH-1 and DH-5 added group solved the problem ?
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 02:12.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0