topic Re: IKEv2 Remote Access guides? in Firewall and Security Management

IKEv2 Remote Access guides?

MikeH — Thu, 16 Mar 2023 01:05:30 GMT

We have a customer with a requirement to provide remote access connectivity using IKEv2 via the native operating system (no client) VPN supplicant (Windows, MacOS, possibly iOS and Android) and connect to Gateways running R80.40. Has anyone successfully done this and have any guides they'd be willing to share? Figured out how to navigate the conflicting encryption/authentication methods between the various OSes?

Re: IKEv2 Remote Access guides?

G_W_Albrecht — Thu, 16 Mar 2023 09:28:12 GMT

No. No secure solution available - and R80.40 will be end of support in 8 months...

Re: IKEv2 Remote Access guides?

_Val_ — Thu, 16 Mar 2023 09:51:55 GMT

Please refer to sk166415 for the answer, which is "No, not at this moment". If you have a business case for this, please raise an RFE through the usual channels.

Re: IKEv2 Remote Access guides?

lgarridor — Fri, 23 Aug 2024 19:55:11 GMT

This SK is also valid for Gaia embedded right?

Re: IKEv2 Remote Access guides?

PhoneBoy — Fri, 23 Aug 2024 21:59:44 GMT

It's not explicitly listed, but it should apply there as well.
Note that the release notes for R82 EA explicitly lists IKEv2 support.
It also requires specific Endpoint client versions.

R82 is planned for Embedded Gaia also.

Re: IKEv2 Remote Access guides?

Alex- — Sat, 24 Aug 2024 07:09:51 GMT

Interestingly, we find this in the release notes of R81.20 Take 70:

PRJ-48210,
PMTR-91011

VPN

IKEv2 Remote Access stability issues.

Re: IKEv2 Remote Access guides?

PhoneBoy — Mon, 26 Aug 2024 14:51:24 GMT

Yes, because some clients already use IKEv2:

Capsule VPN clients, which are largely wrappers around the built-in supplicants in the underlying OS, e.g. Windows).
Strongswan for Linux, which has been supported since R81.

R82 will add support for IKEv2 for our native (Windows, macOS) VPN clients.

Whether you will be able to configure IKEv2 in e.g. Windows without Capsule VPN is a separate question.

Re: IKEv2 Remote Access guides?

ccsjnw — Tue, 11 Feb 2025 14:24:19 GMT

Is there any update to this? I tried last week at CPX 2025 to get a definitive answer about this and hit a brick wall.

I am using R82 in a lab environment. IKE v2 is enabled. Capsule Connect for IOS connects and uses IKE v2, but the latest Windows Remote Access VPN Client (Check Point Mobile) E88.60 Build 986105801 still does not support IKE v2.

VPN connection is only possible when: "Prefer IKE v2, support IKE v1" is selected.

Capsule Connect for IOS connects and uses IKE v2 perfectly, but if "IKE 2 only" is selected, then the Windows VPN Client cannot connect. The documentation says it is supported.

My R82 Gateway is using the following settings for Remote Access VPN:

Phase 1: AES-256. SHA256, DH Group 21 (521-BIT ECP)
Phase 2: AES-256. SHA256.

The above works perfectly, but only when IKE v1 is supported.
I've tried low encryption settings, but it makes no difference to the IKE issue.

Re: IKEv2 Remote Access guides?

PhoneBoy — Tue, 04 Mar 2025 23:35:12 GMT

According to this, we support IKEv2 as of E88.40: https://support.checkpoint.com/results/sk/sk166415
However, it is not enabled by default and requires a registry hack to enable, which is why it isn't working with IKEv2 currently.

Re: IKEv2 Remote Access guides?

ccsjnw — Sun, 02 Mar 2025 00:12:45 GMT

Hello PhoneBoy,

Thanks very much for publishing the solution.

I can confirm that IKE v2 is now working with my R82 Lab setup using the Windows Remote Access VPN Client [E88.60] using the Registry modification 😃.

I'm assuming a future release of the Windows Remote Access VPN Client will remove the need to make a manual Registry change?

Re: IKEv2 Remote Access guides?

PhoneBoy — Mon, 03 Mar 2025 16:14:39 GMT

I assume so, yes.

Re: IKEv2 Remote Access guides?

ccsjnw — Tue, 11 Mar 2025 20:54:13 GMT

Since testing the disable_ikev2 Registry workaround with Remote Access VPN Client for Windows version E88.60 Build 986105801, and confirming IKEv2 did actually work, Check Point have now released the the Remote Access VPN Client for Windows version E88.63 Build 986105843 - and unfortunately the disable_ikev2 Registry workaround no longer works.

Update: 2025-03-11: The Remote Access VPN Client for Windows version E88.70 Build 986105912 doesn't work with the Registry workaround either. The only option is to re-enable the setting: Prefer IKEv2, support IKEv1 in Global Properties.

(The Remote Access VPN Client for Windows is installed in Check Point Mobile Mode)

The VPN connection fails with the message: The gateway does not support IKEv1.

This is really disappointing.

Can Check Point's official roadmap be shared as to when IKEv2 will be fully supported in the Remote Access VPN Client for Windows?

Also, just my observation, but why does the Remote Access VPN Client for Apple Mac seem to be getting all the attention, with major feature enhancements being released far sooner than the Windows version? In my experience, businesses have far greater dependencies on corporate Windows machines needing VPN access to the network, Mac's are rarely a priority in the corporate landscape.

Re: IKEv2 Remote Access guides?

PhoneBoy — Tue, 18 Mar 2025 22:21:52 GMT

I would report the issue with IKEv2 not working in the newer clients via TAC.

We paused our normal Harmony Endpoint releases on Windows for a period of time to address some performance, stability, and resource utilization issues, which should be fixed in E88.70 (see also the upcoming TechTalk: https://checkpoint.zoom.us/webinar/register/7716236883663/WN_H8rPnR5ETkOxoDh9kEdnag )
This impacts the standalone VPN clients also, which use the same code.
Meanwhile, we've had a couple of Harmony Endpoint releases on macOS (E89.01 being the most current).

I expect the Windows version will "catch up" to the Mac version in the coming weeks.