[FW-1] AW: [FW-1] VPN client to firewall connection fails

[Lachmann, Tobias, PRE]

Hello Joe!

When you installed your new CA, the DN of your mgmt's certificate changed.
You will find this DN in the userc.c of the SC system several times, for 
example:

:dn ("O=firewall.company.de.95kzqs")

Just do an update from the SecureClient GUI and everything should be ok.
If this isn't working, delete your userc.c and create a new one.

Hope this helps,

Regards,

Tobias



> -----Urspr�ngliche Nachricht-----
> Von: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] Im
> Auftrag von Joe Clifton
> Gesendet: Donnerstag, 24. Februar 2005 18:16
> An: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
> Betreff: Re: [FW-1] AW: [FW-1] AW: [FW-1] VPN client to
> firewall connection fails
>
> Thanks Tobias...
>
> I would fully agree with you...**IF** I was using
> certificates...but I'm
> only using username/password......Maybe it still affects it??
>
> Joe
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] On Behalf
> Of Lachmann,
> Tobias, PRE
> Sent: Thursday, February 24, 2005 2:51 AM
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
> Subject: [FW-1] AW: [FW-1] AW: [FW-1] VPN client to firewall
> connection
> fails
>
> Hello Joe!
>
> If you change the internal CA, then the private/public key
> pair changes,
> too.
> In this case the already issued certificates are no longer
> valid, because
> the signature cannot be verified with the CA's new public key.
> I think that is what the error message wants to say.
>
> Try to delete the certificates and create new ones for the SC users.
>
> Now the certificates of the SC users are signed with a valid
> privat key
> and can be verified with the public key of the CA.
>
> Maybe this is it.
>
> Regards,
>
> Tobias
>
>
>
> -----Urspr�ngliche Nachricht-----
> Von: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] Im Auftrag von Joe
> Clifton
> Gesendet: Donnerstag, 24. Februar 2005 03:31
> An: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
> Betreff: Re: [FW-1] AW: [FW-1] VPN client to firewall connection fails
>
> Tobias,
>
> Yeah....Sorry the info was so sketchy.  Some background info:
>
> I had to reinstall the SmartCenter server...and during that I
> had to do the
> random seed thing to generate a new CA. So I assume it has
> something to do
> with that.  But I would figure that a topo update would take
> care of that?
> Maybe I should delete usersc.C on my SR laptop....and try again?
>
> Actually, though, I think I even tried a new install of SC/SR on a new
> laptop, but still to no avail....same error.....
>
> Using NGAI R55, with latest hot-fixes.  FW-1/VPN-1 is on a
> crossbeam/secureplatform box, and the SmartCenter server is
> on a Windows
> 2003 server machine.
>
> Thanks for any assistance.
>
> Also....when I rebuilt the rule set....I maybe have farked up the VPN
> configuration...so don't rule that out either...
>
> TIA,
>
> Joe
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] On Behalf
> Of Lachmann,
> Tobias, PRE
> Sent: Wednesday, February 23, 2005 2:57 AM
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
> Subject: [FW-1] AW: [FW-1] VPN client to firewall connection fails
>
> Hello Joe!
>
> Can you give us more information about the complete setup?
> What certificates do you use? Where do they come from?
>
> The message: "Cannot construct a valid certificate chain from peer
> certificates"
> indicates, that the two certificates are not signed by the same
> (internal)-ca
> or that the certificates can't be validated by the
> participating partners in
> the vpn.
>
> Regards,
>
> Tobias
>
> -----Urspr�ngliche Nachricht-----
> Von: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] Im Auftrag von Joe
> Clifton
> Gesendet: Dienstag, 22. Februar 2005 17:37
> An: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
> Betreff: [FW-1] VPN client to firewall connection fails
>
> Below is the error I am getting...this is a new install.
> Maybe I should
> re-create the CA??
>
>
>
> >Checking network connectivity...
> >Preparing connection...
> >Connecting to gateway...
> >Could not validate the certificate used by gateway FWKRE1F
> at site TU.
> >Cannot construct a valid certificate chain from peer certificates
> >IKE negotiation failed
> >Connection failed
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================