https://community.checkpoint.com/t5/General-Topics/invalid-ike-sa/m-p/88535#M17789 That generally means your encryption domains are not subnetted/defined the same way on both sides.<BR />See here to debug: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600</A> Mon, 15 Jun 2020 03:07:39 GMT PhoneBoy 2020-06-15T03:07:39Z https://community.checkpoint.com/t5/General-Topics/invalid-ike-sa/m-p/88399#M17755 <P>hello.</P><P>I have a vpn between checkpoint and a 3rd party with a dynamically assigned IP address,</P><P>I can establish a tunnel only from one way (from the 3rd party) but not from the checkpoint.</P><P>it uses a certificate.</P><P>from vpnd I can see a lot of massages :&nbsp;</P><P>ikeSimpOrder::setPeer: peer is not a user (is user: 0) or invalid ike sa&nbsp;</P><P>is this message relevant and something has to be checked?&nbsp;</P><P>thank you.</P> Fri, 12 Jun 2020 11:13:27 GMT https://community.checkpoint.com/t5/General-Topics/invalid-ike-sa/m-p/88399#M17755 Pavel88 2020-06-12T11:13:27Z https://community.checkpoint.com/t5/General-Topics/invalid-ike-sa/m-p/88535#M17789 That generally means your encryption domains are not subnetted/defined the same way on both sides.<BR />See here to debug: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600</A> Mon, 15 Jun 2020 03:07:39 GMT https://community.checkpoint.com/t5/General-Topics/invalid-ike-sa/m-p/88535#M17789 PhoneBoy 2020-06-15T03:07:39Z