Site VPN failed between Checkpoint AI R55 gateways

Archived from groups: comp.security.firewalls (More info?)

Hi All,

We are configuring new firewall in our local and remote office.
Check point AI R55 with HFA-02
Nokia IPSO 3.7.1
Windows 2000 SP4

Local vpn-1 pro enforcement module - Nokia IP 350
Local checkpoint express smart center server - Windows 2000
(Statically NATed and enabled control connection located in LAN)

Remote vpn-1 pro enforcement module - Nokia IP 130

We can push the policies no problem. But we are not getting log from
remote module.
Site vpn also failed even the time sync is correct.
We have the following error in local log file - IKE: phase 1 received
notification from peer, invalid certificate.
Remote firewall module log shows the following error message.
IKE : Main mode validation timed out.

Any help would be greatly appreciated.

Thanks & Regards
Sekar.
7 answers Last reply
More about site failed checkpoint gateways
  1. Archived from groups: comp.security.firewalls (More info?)

    SIC? has it been established between the FW and Nokia?


    "Shekar" <csekar21@yahoo.com> wrote in message
    news:5e014759.0404040414.4795cfa@posting.google.com...
    > Hi All,
    >
    > We are configuring new firewall in our local and remote office.
    > Check point AI R55 with HFA-02
    > Nokia IPSO 3.7.1
    > Windows 2000 SP4
    >
    > Local vpn-1 pro enforcement module - Nokia IP 350
    > Local checkpoint express smart center server - Windows 2000
    > (Statically NATed and enabled control connection located in LAN)
    >
    > Remote vpn-1 pro enforcement module - Nokia IP 130
    >
    > We can push the policies no problem. But we are not getting log from
    > remote module.
    > Site vpn also failed even the time sync is correct.
    > We have the following error in local log file - IKE: phase 1 received
    > notification from peer, invalid certificate.
    > Remote firewall module log shows the following error message.
    > IKE : Main mode validation timed out.
    >
    > Any help would be greatly appreciated.
    >
    > Thanks & Regards
    > Sekar.


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.648 / Virus Database: 415 - Release Date: 3/31/2004
  2. Archived from groups: comp.security.firewalls (More info?)

    No problem with SIC, In fact i can push the policies without any problem.

    "Beoweolf" <Beoweolf@pacbell.net> wrote in message news:<TPVbc.45983$rB4.3033@newssvr25.news.prodigy.com>...
    > SIC? has it been established between the FW and Nokia?
    >
    >
    > "Shekar" <csekar21@yahoo.com> wrote in message
    > news:5e014759.0404040414.4795cfa@posting.google.com...
    > > Hi All,
    > >
    > > We are configuring new firewall in our local and remote office.
    > > Check point AI R55 with HFA-02
    > > Nokia IPSO 3.7.1
    > > Windows 2000 SP4
    > >
    > > Local vpn-1 pro enforcement module - Nokia IP 350
    > > Local checkpoint express smart center server - Windows 2000
    > > (Statically NATed and enabled control connection located in LAN)
    > >
    > > Remote vpn-1 pro enforcement module - Nokia IP 130
    > >
    > > We can push the policies no problem. But we are not getting log from
    > > remote module.
    > > Site vpn also failed even the time sync is correct.
    > > We have the following error in local log file - IKE: phase 1 received
    > > notification from peer, invalid certificate.
    > > Remote firewall module log shows the following error message.
    > > IKE : Main mode validation timed out.
    > >
    > > Any help would be greatly appreciated.
    > >
    > > Thanks & Regards
    > > Sekar.
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.648 / Virus Database: 415 - Release Date: 3/31/2004
  3. Archived from groups: comp.security.firewalls (More info?)

    If you are using pre-shared secret; try this suggested solution.

    Re-enter the preshared secrets for the firewall objects involved in VPN.
    This clearly applies only when pre-shared secrets are being used and may not
    always be the solution to the problem


    "Shekar" <csekar21@yahoo.com> wrote in message
    news:5e014759.0404042134.dd5adf4@posting.google.com...
    > No problem with SIC, In fact i can push the policies without any problem.
    >
    > "Beoweolf" <Beoweolf@pacbell.net> wrote in message
    news:<TPVbc.45983$rB4.3033@newssvr25.news.prodigy.com>...
    > > SIC? has it been established between the FW and Nokia?
    > >
    > >
    > > "Shekar" <csekar21@yahoo.com> wrote in message
    > > news:5e014759.0404040414.4795cfa@posting.google.com...
    > > > Hi All,
    > > >
    > > > We are configuring new firewall in our local and remote office.
    > > > Check point AI R55 with HFA-02
    > > > Nokia IPSO 3.7.1
    > > > Windows 2000 SP4
    > > >
    > > > Local vpn-1 pro enforcement module - Nokia IP 350
    > > > Local checkpoint express smart center server - Windows 2000
    > > > (Statically NATed and enabled control connection located in LAN)
    > > >
    > > > Remote vpn-1 pro enforcement module - Nokia IP 130
    > > >
    > > > We can push the policies no problem. But we are not getting log from
    > > > remote module.
    > > > Site vpn also failed even the time sync is correct.
    > > > We have the following error in local log file - IKE: phase 1 received
    > > > notification from peer, invalid certificate.
    > > > Remote firewall module log shows the following error message.
    > > > IKE : Main mode validation timed out.
    > > >
    > > > Any help would be greatly appreciated.
    > > >
    > > > Thanks & Regards
    > > > Sekar.
    > >
    > >
    > > ---
    > > Outgoing mail is certified Virus Free.
    > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > Version: 6.0.648 / Virus Database: 415 - Release Date: 3/31/2004


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.650 / Virus Database: 416 - Release Date: 4/4/2004
  4. Archived from groups: comp.security.firewalls (More info?)

    Shekar (csekar21@yahoo.com) wrote:
    : No problem with SIC, In fact i can push the policies without any problem.


    : "Beoweolf" <Beoweolf@pacbell.net> wrote in message news:<TPVbc.45983$rB4.3033@newssvr25.news.prodigy.com>...
    : > SIC? has it been established between the FW and Nokia?
    : >
    : >
    : > "Shekar" <csekar21@yahoo.com> wrote in message
    : > news:5e014759.0404040414.4795cfa@posting.google.com...
    : > > Hi All,
    : > >
    : > > We are configuring new firewall in our local and remote office.
    : > > Check point AI R55 with HFA-02
    : > > Nokia IPSO 3.7.1
    : > > Windows 2000 SP4
    : > >
    : > > Local vpn-1 pro enforcement module - Nokia IP 350
    : > > Local checkpoint express smart center server - Windows 2000
    : > > (Statically NATed and enabled control connection located in LAN)
    : > >
    : > > Remote vpn-1 pro enforcement module - Nokia IP 130
    : > >
    : > > We can push the policies no problem. But we are not getting log from
    : > > remote module.
    : > > Site vpn also failed even the time sync is correct.
    : > > We have the following error in local log file - IKE: phase 1 received
    : > > notification from peer, invalid certificate.
    : > > Remote firewall module log shows the following error message.
    : > > IKE : Main mode validation timed out.


    Ok

    1) Did you define a rule in both modules policy to allow IKE. This will be before any encryption rules
    and allows the two module to exchange key information

    2) Did you export your CA information and install a certificate on the remote box and setup the appropriate
    trust for the cert's [From the error message it looks like you have the vpn define as a cert]. Is there a
    reson to use this instead of shared secret?

    3) Have you setup a rule to allow the enforcement module to completly talk with the management server

    Richard H. Miller, MCSE, CCSE+
    Information Security Manager
    Information Technology Security and Compliance
    Information Technology - Baylor College of Medicine
  5. Archived from groups: comp.security.firewalls (More info?)

    turn on VPN debug at the command prompt....("VPN debug on")... then read
    your logs.

    "Richard H Miller" <rick@bcm.tmc.edu> wrote in message
    news:c4s3kn$79m@gazette.corp.bcm.tmc.edu...
    > Shekar (csekar21@yahoo.com) wrote:
    > : No problem with SIC, In fact i can push the policies without any
    problem.
    >
    >
    >
    >
    > : "Beoweolf" <Beoweolf@pacbell.net> wrote in message
    news:<TPVbc.45983$rB4.3033@newssvr25.news.prodigy.com>...
    > : > SIC? has it been established between the FW and Nokia?
    > : >
    > : >
    > : > "Shekar" <csekar21@yahoo.com> wrote in message
    > : > news:5e014759.0404040414.4795cfa@posting.google.com...
    > : > > Hi All,
    > : > >
    > : > > We are configuring new firewall in our local and remote office.
    > : > > Check point AI R55 with HFA-02
    > : > > Nokia IPSO 3.7.1
    > : > > Windows 2000 SP4
    > : > >
    > : > > Local vpn-1 pro enforcement module - Nokia IP 350
    > : > > Local checkpoint express smart center server - Windows 2000
    > : > > (Statically NATed and enabled control connection located in LAN)
    > : > >
    > : > > Remote vpn-1 pro enforcement module - Nokia IP 130
    > : > >
    > : > > We can push the policies no problem. But we are not getting log from
    > : > > remote module.
    > : > > Site vpn also failed even the time sync is correct.
    > : > > We have the following error in local log file - IKE: phase 1
    received
    > : > > notification from peer, invalid certificate.
    > : > > Remote firewall module log shows the following error message.
    > : > > IKE : Main mode validation timed out.
    >
    >
    >
    > Ok
    >
    > 1) Did you define a rule in both modules policy to allow IKE. This will be
    before any encryption rules
    > and allows the two module to exchange key information
    >
    > 2) Did you export your CA information and install a certificate on the
    remote box and setup the appropriate
    > trust for the cert's [From the error message it looks like you have the
    vpn define as a cert]. Is there a
    > reson to use this instead of shared secret?
    >
    > 3) Have you setup a rule to allow the enforcement module to completly talk
    with the management server
    >
    > Richard H. Miller, MCSE, CCSE+
    > Information Security Manager
    > Information Technology Security and Compliance
    > Information Technology - Baylor College of Medicine
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.650 / Virus Database: 416 - Release Date: 4/4/2004
  6. Archived from groups: comp.security.firewalls (More info?)

    rick@bcm.tmc.edu (Richard H Miller) wrote in message news:<c4s3kn$79m@gazette.corp.bcm.tmc.edu>...
    > Shekar (csekar21@yahoo.com) wrote:
    > : No problem with SIC, In fact i can push the policies without any problem.
    >
    >
    >
    >
    > : "Beoweolf" <Beoweolf@pacbell.net> wrote in message news:<TPVbc.45983$rB4.3033@newssvr25.news.prodigy.com>...
    > : > SIC? has it been established between the FW and Nokia?
    > : >
    > : >
    > : > "Shekar" <csekar21@yahoo.com> wrote in message
    > : > news:5e014759.0404040414.4795cfa@posting.google.com...
    > : > > Hi All,
    > : > >
    > : > > We are configuring new firewall in our local and remote office.
    > : > > Check point AI R55 with HFA-02
    > : > > Nokia IPSO 3.7.1
    > : > > Windows 2000 SP4
    > : > >
    > : > > Local vpn-1 pro enforcement module - Nokia IP 350
    > : > > Local checkpoint express smart center server - Windows 2000
    > : > > (Statically NATed and enabled control connection located in LAN)
    > : > >
    > : > > Remote vpn-1 pro enforcement module - Nokia IP 130
    > : > >
    > : > > We can push the policies no problem. But we are not getting log from
    > : > > remote module.
    > : > > Site vpn also failed even the time sync is correct.
    > : > > We have the following error in local log file - IKE: phase 1 received
    > : > > notification from peer, invalid certificate.
    > : > > Remote firewall module log shows the following error message.
    > : > > IKE : Main mode validation timed out.
    >
    >
    >
    > Ok
    >
    > 1) Did you define a rule in both modules policy to allow IKE. This will be before any encryption rules
    > and allows the two module to exchange key information
    >
    > 2) Did you export your CA information and install a certificate on the remote box and setup the appropriate
    > trust for the cert's [From the error message it looks like you have the vpn define as a cert]. Is there a
    > reson to use this instead of shared secret?
    >
    > 3) Have you setup a rule to allow the enforcement module to completly talk with the management server
    >
    > Richard H. Miller, MCSE, CCSE+
    > Information Security Manager
    > Information Technology Security and Compliance
    > Information Technology - Baylor College of Medicine

    1. VPN comuunity rule allows from any and all service. Installed both
    firewalls
    2. I do not have export option since both firewalls are internally
    managed
    3. My first rule allows any service from remote firewall to management
    server

    My setup is like this,
    Local Firewall
    Nokia IP 350 - Enforcement Module (IPSO 3.7.1) (CP AI - R55 with
    HFA-2)
    Int interface - 10.65.16.1
    DMZ interface - 10.65.8.98
    Ext interface - 209.20.128.60.198

    Local Managment server
    Windows 2000 sp4 - Smart center (CP AI - R55 with HFA-2)
    IP address - 10.65.16.19 (Enabled static nat with ip address -
    209.20.128.199) (Also enabled the control connection)

    Remote firewall
    Nokia IP 130 - Enforcement Module (IPSO 3.7.1) (CP AI - R55 with
    HFA-2)
    Int interface - 10.86.16.1
    DMZ interface - 10.86.6.2
    Ext interface - 211.158.158.220

    First rule allows remote firewall to access management server (Service
    - ANY)
    also VPN community rule for site to site vpn (service - ANY)
    Remote gateway & local gateway is the member of community.
    Mangement server is also a Certificate authority. (Default)

    I can do SIC and push policies to remote firewall. But when I try to
    ping remote internal ip address, It is trying to establish the tunnel.
    But error msg shows ( IKE phase 1 - recieved notification from
    peer.invalid certificate) Even i am not receiving log from remote
    firewall.
    Both firewalls hosts file has the name and public IP address of
    firewall and management server. So no problem with name resolution.
    Date & time is correct in firewalls and management server.
  7. Archived from groups: comp.security.firewalls (More info?)

    csekar21@yahoo.com (Shekar) wrote in message news:<5e014759.0404071732.ed1fb91@posting.google.com>...
    > rick@bcm.tmc.edu (Richard H Miller) wrote in message news:<c4s3kn$79m@gazette.corp.bcm.tmc.edu>...
    > > Shekar (csekar21@yahoo.com) wrote:
    > > : No problem with SIC, In fact i can push the policies without any problem.
    > >
    > >
    > >
    > >
    > > : "Beoweolf" <Beoweolf@pacbell.net> wrote in message news:<TPVbc.45983$rB4.3033@newssvr25.news.prodigy.com>...
    > > : > SIC? has it been established between the FW and Nokia?
    > > : >
    > > : >
    > > : > "Shekar" <csekar21@yahoo.com> wrote in message
    > > : > news:5e014759.0404040414.4795cfa@posting.google.com...
    > > : > > Hi All,
    > > : > >
    > > : > > We are configuring new firewall in our local and remote office.
    > > : > > Check point AI R55 with HFA-02
    > > : > > Nokia IPSO 3.7.1
    > > : > > Windows 2000 SP4
    > > : > >
    > > : > > Local vpn-1 pro enforcement module - Nokia IP 350
    > > : > > Local checkpoint express smart center server - Windows 2000
    > > : > > (Statically NATed and enabled control connection located in LAN)
    > > : > >
    > > : > > Remote vpn-1 pro enforcement module - Nokia IP 130
    > > : > >
    > > : > > We can push the policies no problem. But we are not getting log from
    > > : > > remote module.
    > > : > > Site vpn also failed even the time sync is correct.
    > > : > > We have the following error in local log file - IKE: phase 1 received
    > > : > > notification from peer, invalid certificate.
    > > : > > Remote firewall module log shows the following error message.
    > > : > > IKE : Main mode validation timed out.
    > >
    > >
    > >
    > > Ok
    > >
    > > 1) Did you define a rule in both modules policy to allow IKE. This will be before any encryption rules
    > > and allows the two module to exchange key information
    > >
    > > 2) Did you export your CA information and install a certificate on the remote box and setup the appropriate
    > > trust for the cert's [From the error message it looks like you have the vpn define as a cert]. Is there a
    > > reson to use this instead of shared secret?
    > >
    > > 3) Have you setup a rule to allow the enforcement module to completly talk with the management server
    > >
    > > Richard H. Miller, MCSE, CCSE+
    > > Information Security Manager
    > > Information Technology Security and Compliance
    > > Information Technology - Baylor College of Medicine
    >
    > 1. VPN comuunity rule allows from any and all service. Installed both
    > firewalls
    > 2. I do not have export option since both firewalls are internally
    > managed
    > 3. My first rule allows any service from remote firewall to management
    > server
    >
    > My setup is like this,
    > Local Firewall
    > Nokia IP 350 - Enforcement Module (IPSO 3.7.1) (CP AI - R55 with
    > HFA-2)
    > Int interface - 10.65.16.1
    > DMZ interface - 10.65.8.98
    > Ext interface - 209.20.128.60.198
    >
    > Local Managment server
    > Windows 2000 sp4 - Smart center (CP AI - R55 with HFA-2)
    > IP address - 10.65.16.19 (Enabled static nat with ip address -
    > 209.20.128.199) (Also enabled the control connection)
    >
    > Remote firewall
    > Nokia IP 130 - Enforcement Module (IPSO 3.7.1) (CP AI - R55 with
    > HFA-2)
    > Int interface - 10.86.16.1
    > DMZ interface - 10.86.6.2
    > Ext interface - 211.158.158.220
    >
    > First rule allows remote firewall to access management server (Service
    > - ANY)
    > also VPN community rule for site to site vpn (service - ANY)
    > Remote gateway & local gateway is the member of community.
    > Mangement server is also a Certificate authority. (Default)
    >
    > I can do SIC and push policies to remote firewall. But when I try to
    > ping remote internal ip address, It is trying to establish the tunnel.
    > But error msg shows ( IKE phase 1 - recieved notification from
    > peer.invalid certificate) Even i am not receiving log from remote
    > firewall.
    > Both firewalls hosts file has the name and public IP address of
    > firewall and management server. So no problem with name resolution.
    > Date & time is correct in firewalls and management server.

    Hi,
    My problem has been resolved by doing the following.

    1) Install a NAT rule on the Remote module
    * Original Source: Remote module
    * Original Destination: INTERNAL IP address of the mgmt server
    * Original Service: ANY
    * Translated Source: original
    * Translated Destination: EXTERNAL IP address of the mgmt server
    * Transalted servcie: original

    2) Disable client side NATting for manual NAT rules
    Policy - Global properties - NAT - Uncheck 'Translate destination on client side'
Ask a new question

Read More

Firewalls Nokia VPN Networking