I'm stuck

[gfont96]

Hi All,

I have a Smartcentre Server (NGXR60 HFA04, Win2k3)with an internal IP address. I have a module (SPLAT and NGXR60 HFA04) with an internal IP address. On the module object I have set the VPN link selection to use the external interface.

I have a SecureClient with Integrity 25 user licensed locally to the module.

When I dial in I can connect OK. When I then hang up and dial in again it says no IKE cert found (something like that). If I then got back to the VPN link selection and change it from use the external IP address to use interface based on topology and install the policy I can then dial in and connect OK, just the once, I then have to change the link selection again.

I have logged a call with our support folks and set them cpinfo from manager and module (they have access to our user centre, so I am guessing that they have looked and seen that all is licensed correctly) they have sent it on to Checkpoint and they have come back and said change the module IP address to the external interface. So;

I thought VPN Link Selection meant you didn't have to do that anymore ?

The license is set to the internal IP address can I simply change the module address and not touch the license because it is against an existing interface ?

Should I do this out of hours ?

Has anyone seen this before ?

Any ideas would be most welcome

Cheers,

George

[RayPesek]

Are you using central licensing or local licensing on the gateway? You should be using central.

With central, the gateway license is tied to the management server IP. If you need to change the gateway IP, you use SmartUpdate to detach the license from the gateway, change the IP and re-attach the license. No muss, no fuss, no Check Point involvement.

Ray

[gfont96]

Hi Ray,

Thanks for the reply. The SmartCentre server is local and the module is central.

The SecureClient license is local and installed on the module.

Cheers,

George

[RayPesek]

Try resetting the gateway IP in SmartCenter to the external address. It can really mess up VPNs if the internal address is used.

Ray

[gfont96]

Hi Ray,

I thought Link Selection cured this, oh well.

I have 4 interfaces on this box, the one that leads to internal is a 10.x.x.x address and this is the one that is assigned to the firewall. Can I just change it in the properties tab to the external IP and push a policy ?.

Or do I have to do more ?

Thanks,

George

[Acidio]

Hi George,

I have changed the gateway object IP on a number of occasions and it hasn't seemed to cause any issues.

Regarding the the link selection - is your topology defined correctly on the gateway? It's the only thing I can think of that would cause topology based link selection to cause you issues.

[gfont96]

Hi All,

We fixed it. It turned out to be a corrupt IKE certificate in VPN. It's the only thing we could think of. We built a replica system and the thing worked as expected with original licenses, and yes, link selection works a treat.

The following will help even if it does say its for a different version, sk22752, it does give an error message when trying to recreate the cert, ignore it, and when you edit the fw-module object again it gets created no probs.

Thanks to you all....again !

Cheers,

George