VPN Certificate problems

[aallsopp]

Trying to establish VPN between centrally managed gateway and gateway cluster I get the following sequence of errors.

Validation log: Certificate defaultCert cannot be validated.
Reason: Certificate is revoked.
DN: CN=###### VPN Certificate,O=####..vctd52
Instruction: Contact the CA administrator.

IKE: Main Mode Sent Notification to Peer: certificate unavailable

IKE: Phase1 Received Notification from Peer: certificate unavailable

service_id: tunnel_test
message_info: Implied rule
encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information

SIC is established and working. I have communication with the remote gateway and can push out policies without problems. Only the VPN is failing.

[kva.kva]

Try to check time settings on modules (date, time, time zone).
And collect debug info by "vpn debug", "vpn debug ikeon"

[aallsopp]

I set up each gateway and the management module to syncronize to our internal time server but this did not fix the issue.
I removed one gateway from the VPN, deleted the existing certificates and re-created them, then rejoined the VPN community and this appears to have fixed the problem.

While checking on any time difference I did find a complaint for Nokia though. There is no time zone setting for Saskatchewan, Canada. We do not follow DST here. I've set our gateways to GMT and since we're using a Windows box as the management module, our logs are converted into local time.

[menz456]

I have this exact problem with a UTM-570 that i'm trying to install.
I have tried doing exactly what this post says also the:
Solution ID: sk22752
Error: "I have no certificate to use for IKE"
But I still have the exact same issue.
The UTM is reporting it has 'certificate unavailable' or 'certificate invalid', but i can
see it fine.
Here are a few logs from the remote firewall:
8:41:19 keyinst xxxFW2 >daemon scheme: NA; Validation log: Certificate defaultCert cannot be validated.; Reason: Could not retrieve CRL.; DN: CN=xxxGFW3 VPN Certificate,O=x.rdehc-tr.swest.nhs.uk.vxmuru ; Instruction: If this log persists, contact the CA administrator.; fw_subproduct: VPN-1; vpn_feature_name: IKE; product: VPN-1 & FireWall-1;

8:39:11 keyinst xxxFW2 >daemon src: xxxFW2; dst: xxx.exe.nhs.uk; peer gateway: xxx.exe.nhs.uk; scheme: IKE; IKE: Main Mode Sent Notification to Peer: invalid certificate; CookieI: 5ca12fef06162cec; CookieR: de639e22eea6439e; community: xxx_VPN; fw_subproduct: VPN-1; vpn_feature_name: IKE; product: VPN-1 & FireWall-1;

8:39:11 reject xxxFW2 >daemon src: xxx.exe.nhs.uk; dst: xxxxFW2; peer gateway: xxx.exe.nhs.uk; scheme: IKE; IKE: Main Mode Could not retrieve CRL.CN=xxx.exe.nhs.uk VPN Certificate,O=rxxx.rdehc-tr.swest.nhs.uk.vxmuru; CookieI: 5ca12fef06162cec; CookieR: de639e22eea6439e; methods: 3DES + MD5, RSA signatu res; community: xxx_VPN; reject_category: Gateway to Gateway authentication failure; fw_subproduct: VPN-1; vpn_feature_name: IKE; product: VPN-1 & FireWall-1;

Very strange and it's causing a big headache!
Sam

[mcnallym]

Looking at the error message

Certificate defaultCert cannot be validated.; Reason: Could not retrieve CRL

Then the gateway doesn't seem to be able to contact the CA on the Check Point Management Server.

[menz456]

I can ping the mgmt server.
I can't see any drops at the mgmt server either.

One things that i can see is that the remote module is sending it's requests to the mgmt server via it's private ip address
and i don't know why. I'm sure this is why the packets aren't reaching the mgmt server.
i've tried to add a manual nat but it still used the private ip?

Am not sure what else I can do?
I have deleted the cert many times and it's always pushed out again to the enforcement module fine.
Any ideas? I am so stressed with this one!
VPN's are never easy these days

Thanks
Sam

[mcnallym]

OK your management server I take it is installed on one box with the gateway on the UTM-570 appliance.

I am going to hazard a guess here that the IP of the UTM-570 appliance object is the internal IP address.

You need to change this to be the external IP address and this should then work.

Alternatively you may find it easier to just use a pre-shared secret for authenticating the VPN as you already have most of the work done.

In general if you must run your management and gateway on one box then ensure that the box is identified through the external interface.

[menz456]

No the management server is a dedicated server that sits behind a central nokia cluster. This does have
it's main ip as the internal ip but has static nat enabled.

The utm570 is managed fine by this box (can push policies etc to it),
The utm570 has it's external IP.

The issue is that the utm570 tries to talk to the management server on it's private address and that is not routed and these packets that originate from the 570 never reach the cluster.
Many Thanks
Sam

[mcnallym]

OK, define a Check Point Host with the Public IP address that the SMARTCenter is NATTed too. Say that is a secondary management server.

Create some Manual NAT Rules if no autonat exists that translates the ip of the new object to the internal ip of the SMARTCenter.

On the remote gateway then under Logs and Masters change the definition so that is specifically the new Check Point host with the public IP.

You should now find that the system tries to use the public IP when accessing the system.

This should then work as it is what I do when I have remote gateways.

[menz456]

This works which is great but....
It seems like a bit of a 'fudge' and there was no reason that the UTM should be able to use the object that was already there as it had nat etc already.

Any ideas what was stopping the nat working from the remote utm?
Sam