[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] invalid certificate on second external interface of VPN GW
Thanks for your comments, Carlos: > -----Original Message----- > From: Carlos Santos [mailto:[email protected]] > Sent: Tuesday, August 19, 2003 3:35 PM > To: [email protected] > Subject: Re: [FW-1] invalid certificate on second external interface of > VPN GW > > > Hi Hans, > > Seems like you are using public key exchange to establish the Phase 1 > for the VPN tunnel. > > First of all you need to know that both public certificates on both > gateways must be trusted...as you know CP has it's own internal CA so > it's public key will not be known and trusted elsewhere besides it self > internaly. You lost me here. Why should the certs be exported/imported when CP is capable by transporting them over the network? In the version that I use of CP any new gateway automagickally starts using the internal CA in the management server over the network. > > So if i am correct you will need first to export both internal CA > certificates: > Manage->Servers and OPSEC Applications-> "internal_ca" > Tab "Local management server" and click on "save as" > > Then import the key into each Gateway: > Manage->Servers and OPSEC Applications-> "New certificate Authority" > Give it a name, and select "External Check Point CA" under the > "Certificate Authority" drop down box. > Got to the new tab "External Check Point CA" and click on "get" > and select the peer exported certificate. > > You are done to try the VPN. > > Another thing you need to know is that the peer gateway object you must > have allready created must be matched with the FQDN used to create the > CA internal certificate during > instalation. If you don't know it, just click on "view" after importing > the certificate, > you will see something like O=gateway.domain.com..4gwy52 (forget about > the last "..*" of course). > This must be done else they'll never be able to validate when resolving > the name in the certificate with the peer gateway name...normally no one Yes, I also think the cert is checked against the hostname/ip address of the peer. In my setup, gateway A only has one cert but two external interfaces. The cert matches the hostname (= gwa-ext) which has the same name as the first primary external interface (for example gwa-ext) But the cert does not match the second external interface (for example gwa-ext2) The remote gateways that try to make an SA through gwa-ext will see a valid cert, but the remote gateways that try to make an SA through gwa-ext2 will notify an invalid cert, and I wont get an SA also :( > cares about giving a valid FQDN to a gateway so i advise you to try it > this way. > > Anyway give it a try. > > hope it helps, regards, > > Carlos > > > > >-----Original Message----- > >From: Mailing list for discussion of Firewall-1 > >[mailto:[email protected]] On Behalf > >Of Hans Bayle > >Sent: Monday, 18 August, 2003 18:56 > >To: [email protected] > >Subject: [FW-1] invalid certificate on second external > >interface of VPN GW > > > > > >Hi, > > > >I'm running into problems with a VPN GW that has two external > >interfaces. > > > >Here is our current situation: > > > > > > __ce-rtr1__internal WAN__other WAN > >vpn-1 gateways > > / > > / > >192.168.25.0 -- A ---+---- B --- 192.168.24.0 > > \ > > \___ce-rtr2__ internet __ other Internet > >vpn-1 gateways > > > > > >Gateway A is running the management server and VPN-1, > >its encryption domain is 192.168.25.0, > >its internal interface 192.168.25.1, > >its first external interface connects to a customer edge > >router to Internet > >(ce-rtr2). > >It has its default gateway defined to that router. > >its second external interface connects to a subnet in which Gateway B > >and another customer edge router that connects to an internal WAN. > > > >Gateway B is running VPN-1 > >its encryption domain is 192.168.24.0, > >its internal interface is 192.168.24.1 > >its external interface connects to Gateway A and ce-rtr1 > > > >All previous routing issues have been solved. > > > >When i try to set up an IPSec tunnel between Gateway A and Gateway B or > >one of the other WAN gateways, I see that the IKE handshake > >stops with the > >message: "IKE: Phase1 received notification from peer: invalid > >certificate". > > > >IKE Setup between gateway A and the Internet gateways doesnt > >give problems. > >We are using the internal CA for the certificates. > >We are using the central licensing scheme, with the IP defined > >on Gateways > >A's first > >interface. > >If i swap the first and second interface on Gateway A, IKE > >setup will work > >between > >Gateway A and the WAN gateway's, but not between Gateway A and > >the Internet > >gateways. > > > >Is this a license isssue? Who gives a hint? > > > > > > > > > >Hans Bayle > >Network Consultant > >[email protected] > > > >+-----------------------------------------------------+ > >| Hans Bayle <[email protected]> | > >| Technical Consultant | > >| | > >| Zinopsys BV | > >| phone +31 20 6123614 | > >| mobile +31 6 53948140 | > >| fax +31 20 6123849 | > >| [email protected] | > >+-----------------------------------------------------+ > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [email protected] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[email protected] > >================================================= > > > > > Trusted Systems - http://www.trusted.pt > Praga de Alvalade, n.: 6 - 6.: piso > 1700-036 Lisboa, PORTUGAL > Tel: +00 > Fax: +42 > > -- > > A presente mensagem pode conter informagco considerada confidencial. > Se o receptor desta mensagem nco for o destinatario indicado, fica > expressamente proibido de copiar ou enderegar a mensagem a terceiros. > Em tal situagco, o receptor devera destruir a presente mensagem e por > gentileza informar o emissor de tal facto. > > Privileged or confidential information may be contained in this > message. If you are not the addressee indicated in this message, you > may not copy or deliver this message to anyone. In such case, you > should destroy this message and kindly notify the sender by reply > email. > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|