You are using Hybrid IKE. The certificate is not created in the Certificates tab of the VPN-1/Firewall-1 network object; even after “Internal CA created successfully” is displayed “fw
internalca create” is displayed as having been issued. Which if the following lists the most likely
cause of the problem, and the appropriate remedy?
A.
The distinguished name used in the “fw internalca create” and “fw interalca certify” commands
is too long. In this case, use a shorter name.
B.
Perform fwstop and move the objects.sav objects.bak and other files with objects.* from
$FWDIR/conf directory except the objects.c file. Perform the “fw interalca create” and “fw interalca
certify” again with the -force option.
C.
Under the Firewall object> VPN> IKE> Support Authentication Methods, Hybrid is unchecked.
Select Hybrid and stop and start the firewall.
D.
Certificate created by internal CA is somehow corrupt. Recreate the certificate with the -force
option.
E.
Options A and B.
Explanation:
: Sadly, the command “fw internalca X” have a length limitation, this could cause some errors, to
provide a solution you can stop the firewall services and make some file moving from the
$FWDIR/Conf directory, the exact files are detailed in the documentation, once done, you can run
the “fw internalca X” commands with the “-force” option. Check ” Troubleshooting CA ” in the
Checkpoint NG online documentation.