topic Re: Enabling IKEv2 on Windows clients in Endpoint

Enabling IKEv2 on Windows clients

flachance — Wed, 10 Jun 2026 15:05:08 GMT

So according to sk166415, to enable IKEv2 on Windows clients you need to make a registry change;

configure disable_ikev2 to 0 in HKLM\SOFTWARE\WOW6432Node\CheckPoint\TRAC, the reboot the device.

Is this the only way? Can't be done via trac_client_1.ttm? Or trac.config?

thanks

Re: Enabling IKEv2 on Windows clients

Aaron-pr — Wed, 10 Jun 2026 15:37:13 GMT

I have the exact same question and went through our account rep's technical expert trying to come up with a solution but nothing so far. With the latest CVE, Check Point needs to do an emergency release of the Check Point Endpoint Security VPN for Windows with IKEv2 enabled by default (or at least put a way to enable it within the GUI). Expecting that all users/situations will have the ability to modify the registry is not acceptable.

Re: Enabling IKEv2 on Windows clients

PhoneBoy — Wed, 10 Jun 2026 23:06:26 GMT

Right now, the registry is the only way to enable IKEv2 on the Remote Access clients...which also disables IKEv1 support.
Hopefully this will be addressed soon.

Re: Enabling IKEv2 on Windows clients

Lubomir_Cerny — Thu, 11 Jun 2026 07:42:37 GMT

So does it means, that gateway has possibility "Prefer ikev2, support ikev1" but client has only one option ? ie "ikev2 only" or "ikev1 only" ?

Re: Enabling IKEv2 on Windows clients

PhoneBoy — Thu, 11 Jun 2026 18:53:08 GMT

That's what at least one report on the community suggested.
Additional confirmation would certainly be helpful.

Re: Enabling IKEv2 on Windows clients

jorgeluiznim — Fri, 12 Jun 2026 14:27:28 GMT

As a workaround, I created a Compliance Rule under the policy (Application Control > Compliance & Posture > Compliance Rulebase) to automatically validate and remediate the registry setting required for IKEv2.

The rule checks Windows endpoints and verifies the existence/value of the registry key:

HKLM\SOFTWARE\WOW6432Node\CheckPoint\TRAC\disable_ikev2

If the key is not configured as required, the Compliance Rule performs a remediation action, updating the registry value to:

disable_ikev2 = 0

Configuration details:

Operating System: Windows All
Action Type: Applications/Files Check
Registry Check: Enabled
Registry Path: HKLM\SOFTWARE\WOW6432Node\CheckPoint\TRAC\disable_ikev2
Registry Value: 0
Action: Update
Registry Type: REG_DWORD
Validation: Check that the registry entry exists

This approach avoids the need to manually modify the registry on each endpoint and provides centralized enforcement through the Compliance Blade. A reboot is still required for the endpoint to fully apply the IKEv2 configuration, as described in SK166415.

Re: Enabling IKEv2 on Windows clients

Lubomir_Cerny — Fri, 12 Jun 2026 15:09:45 GMT

This or GPO is OK for internal users but can not be used for our external VPN users/contractors.
I hope future client versions will solve this.