CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: VPN failing with Invalid Certificate error

  1. #1
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default VPN failing with Invalid Certificate error

    Hi Guys,

    I have 1120 and 12000 series firewall managed by same management server. I am trying to build tunnel between those and getting error of Invalid Certificate; this is failing on MM Packet6.

    Any idea what could be the issue?

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: VPN failing with Invalid Certificate error

    Are you using certs instead of PSK on the VPN community used for this?
    Is this an Incident or an on-going implementation?

  3. #3
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: VPN failing with Invalid Certificate error

    Nah this is just replacing the customer firewall with CheckPoint and being managed by same management server there is no option for creating PSK and be default it goes for Cert Based Authentication.

  4. #4
    Join Date
    2017-03-17
    Posts
    8
    Rep Power
    0

    Default Re: VPN failing with Invalid Certificate error

    is it replacing a current checkpoint gateway or replacing another vendor hardware?
    is it be able to reach the CRL in the management? issue can be that one of the gateways can't verify the certificate of the other. check the masters file and check if you are retrieving the CRL correctly

  5. #5
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: VPN failing with Invalid Certificate error

    Replacing fortinet with Checkpoint. Management server is at HO while 1120 is at branch. I am able to push the policy centrally and trying to build tunnel between ho and branch
    Which is failing.

    So gateway to gateway communication needs certificate checking or branch firewall needs to communicate with management server for CARL?

  6. #6
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: VPN failing with Invalid Certificate error

    So is it that remote gateway is not able to talk to management server? But I can push the policy and logs are being seen in the tracker.

    Or is it both the gateway are not able to talk to each other? I am trying to implement tunnel using Link Probing

  7. #7
    Join Date
    2017-03-17
    Posts
    8
    Rep Power
    0

    Default Re: VPN failing with Invalid Certificate error

    Push the policy is from management to the gateway and CRL retrieval is the way around. For instance, if you are NATing your management IP using auto-nat it may not work due to the masters file in $FWDIR/conf.

    I would run a tcpdump on branch office and see if connection in established towards management for this specific case. I think port is 18264.

    Each gateway will contact the CA to check CRL and see if the cert is valid or not.

  8. #8
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: VPN failing with Invalid Certificate error

    sounds like CLR accessibility issue. Check both sides can get to CLRs without any issue
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  9. #9
    Join Date
    2008-05-26
    Posts
    8
    Rep Power
    0

    Default Re: VPN failing with Invalid Certificate error

    Hi fellows,

    I have the same issue - trying to make VPN between centrally managed CP 1450 and Security Gateway with Security Management sitting behind the Gateway.

    Click image for larger version. 

Name:	cp1450-gw-vpn.jpg 
Views:	125 
Size:	13.3 KB 
ID:	1340

    Management is staticaly NATed on Gateway.

    The VPN is not able to be established and with IKEView I see that 1450 returns "Invalid-certificate".
    Also when 1450 is trying to fetch the policy there is a warning message:
    " Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard."

    Click image for larger version. 

Name:	cp1450-gw-error.jpg 
Views:	144 
Size:	49.7 KB 
ID:	1341

    It seems CP 1450, knows about private address of Management Server and tries to communicate with it and not with the NATed address.
    Also it seems not trusting the certificate provided by the Management.

    Any help is appreciated.

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: VPN failing with Invalid Certificate error

    Quote Originally Posted by dilianch View Post
    Hi fellows,

    I have the same issue - trying to make VPN between centrally managed CP 1450 and Security Gateway with Security Management sitting behind the Gateway.

    Click image for larger version. 

Name:	cp1450-gw-vpn.jpg 
Views:	125 
Size:	13.3 KB 
ID:	1340

    Management is staticaly NATed on Gateway.

    The VPN is not able to be established and with IKEView I see that 1450 returns "Invalid-certificate".
    Also when 1450 is trying to fetch the policy there is a warning message:
    " Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard."

    Click image for larger version. 

Name:	cp1450-gw-error.jpg 
Views:	144 
Size:	49.7 KB 
ID:	1341

    It seems CP 1450, knows about private address of Management Server and tries to communicate with it and not with the NATed address.
    Also it seems not trusting the certificate provided by the Management.

    Any help is appreciated.
    This is a classic situation for MGMT behind NAT. If your remote device is managed form the same MGMT server, there are two ways to resolve the issue:

    1. Make NAT static settings on the management object and not manual NAT rules.
    2. Create a dummy MGMT server object with an external NAT-ed IP address of the management server.

    On top, please make sure the CRL link on the MGMT server is available from InterneT even before VPN is up.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Replies: 1
    Last Post: 2014-01-20, 13:18
  2. invalid certificate - no vpn tunnel
    By doeffel in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2009-07-02, 03:20
  3. INVALID-CERTIFICATE ISSUE
    By menz456 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2008-09-24, 22:37
  4. Edge -> SmartCenter VPN failed : Invalid Certificate
    By nicolas.mory in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2007-01-03, 04:06
  5. invalid certificate
    By maurox in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-12-22, 05:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •