Hello Joe!
When you installed your new CA, the DN of your mgmt's certificate changed.
You will find this DN in the userc.c of the SC system several times, for
example:
:dn ("O=firewall.company.de.95kzqs")
Just do an update from the SecureClient GUI and everything should be ok.
If this isn't working, delete your userc.c and create a new one.
Hope this helps,
Regards,
Tobias
> -----Ursprüngliche Nachricht-----
> Von: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Im
> Auftrag von Joe Clifton
> Gesendet: Donnerstag, 24. Februar 2005 18:16
> An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Betreff: Re: [FW-1] AW: [FW-1] AW: [FW-1] VPN client to
> firewall connection fails
>
> Thanks Tobias...
>
> I would fully agree with you...**IF** I was using
> certificates...but I'm
> only using username/password......Maybe it still affects it??
>
> Joe
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf
> Of Lachmann,
> Tobias, PRE
> Sent: Thursday, February 24, 2005 2:51 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] AW: [FW-1] AW: [FW-1] VPN client to firewall
> connection
> fails
>
> Hello Joe!
>
> If you change the internal CA, then the private/public key
> pair changes,
> too.
> In this case the already issued certificates are no longer
> valid, because
> the signature cannot be verified with the CA's new public key.
> I think that is what the error message wants to say.
>
> Try to delete the certificates and create new ones for the SC users.
>
> Now the certificates of the SC users are signed with a valid
> privat key
> and can be verified with the public key of the CA.
>
> Maybe this is it.
>
> Regards,
>
> Tobias
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Im Auftrag von Joe
> Clifton
> Gesendet: Donnerstag, 24. Februar 2005 03:31
> An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Betreff: Re: [FW-1] AW: [FW-1] VPN client to firewall connection fails
>
> Tobias,
>
> Yeah....Sorry the info was so sketchy. Some background info:
>
> I had to reinstall the SmartCenter server...and during that I
> had to do the
> random seed thing to generate a new CA. So I assume it has
> something to do
> with that. But I would figure that a topo update would take
> care of that?
> Maybe I should delete usersc.C on my SR laptop....and try again?
>
> Actually, though, I think I even tried a new install of SC/SR on a new
> laptop, but still to no avail....same error.....
>
> Using NGAI R55, with latest hot-fixes. FW-1/VPN-1 is on a
> crossbeam/secureplatform box, and the SmartCenter server is
> on a Windows
> 2003 server machine.
>
> Thanks for any assistance.
>
> Also....when I rebuilt the rule set....I maybe have farked up the VPN
> configuration...so don't rule that out either...
>
> TIA,
>
> Joe
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf
> Of Lachmann,
> Tobias, PRE
> Sent: Wednesday, February 23, 2005 2:57 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] AW: [FW-1] VPN client to firewall connection fails
>
> Hello Joe!
>
> Can you give us more information about the complete setup?
> What certificates do you use? Where do they come from?
>
> The message: "Cannot construct a valid certificate chain from peer
> certificates"
> indicates, that the two certificates are not signed by the same
> (internal)-ca
> or that the certificates can't be validated by the
> participating partners in
> the vpn.
>
> Regards,
>
> Tobias
>
> -----Ursprüngliche Nachricht-----
> Von: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Im Auftrag von Joe
> Clifton
> Gesendet: Dienstag, 22. Februar 2005 17:37
> An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Betreff: [FW-1] VPN client to firewall connection fails
>
> Below is the error I am getting...this is a new install.
> Maybe I should
> re-create the CA??
>
>
>
> >Checking network connectivity...
> >Preparing connection...
> >Connecting to gateway...
> >Could not validate the certificate used by gateway FWKRE1F
> at site TU.
> >Cannot construct a valid certificate chain from peer certificates
> >IKE negotiation failed
> >Connection failed
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
