https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7492#M903 <HTML><HEAD></HEAD><BODY><P>Hi Danny,</P><P></P><P>I'll give your suggestions a try.</P><P></P><P>Thanks</P><P>Ron</P></BODY></HTML> Sun, 15 Oct 2017 21:39:58 GMT Ron_N 2017-10-15T21:39:58Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7489#M900 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm trying to setup a Site-to-Site connection between Azure VPN and Checkpoint vSec (R77.30) on AWS.</P><P>I was able to setup a connection using Azure Basic gateway with IKEv1.</P><P></P><P>Now I'm trying to setup between Azure VPN (High Performance) gateway and Checkpoint vSec (R77.30).</P><P></P><P>High Performance gateway uses IKEv2 and have applied the following IKE policy on Azure Gateway.</P><P>Phase 1: AES256, SHA384, DH14, SA 28800</P><P>Phase 2: AES256, SHA256, PFS2048, SA 3600</P><P></P><P>I'm getting the error: encryption failure: Ike version: ikev2 not supported for peer</P><P></P><P>I'm new to checkpoint. Would be great if someone could tell me what the error means and if IKEv2 is even supported for the above Phase 1 and 2 parameters.</P><P></P><P>Thanks</P><P>Ron</P></BODY></HTML> Sun, 15 Oct 2017 14:55:54 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7489#M900 Ron_N 2017-10-15T14:55:54Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7490#M901 <HTML><HEAD></HEAD><BODY><P>I'd recommend the following VPN configuration within Check Point for initial testing:</P><P><IMG __jive_id="60116" class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/60116_pastedImage_2.png" style="width: 620px; height: 343px;" /></P><P></P><P>As Phase 1 SA Lifetime is expressed by Check Point in minutes, while the Phase 2 SA Lifetime is expressed in seconds please make sure to enter 480 min (28800 sec).</P><P><IMG __jive_id="60112" class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/60112_pastedImage_1.png" style="width: auto; height: auto;" /></P><P></P><P>If that doesn't help as well, please perform a IKE debug as described in <A href="http://supportcontent.checkpoint.com/solutions?id=sk112139">sk112139</A> together with <A href="http://supportcontent.checkpoint.com/solutions?id=sk33327">sk33327</A>.</P></BODY></HTML> Sun, 15 Oct 2017 19:39:27 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7490#M901 Danny 2017-10-15T19:39:27Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7491#M902 <HTML><HEAD></HEAD><BODY><P>I'm pretty sure to use IKEv2 with Azure it must be a route-based VPN instead of domain-based.&nbsp; If you have CoreXL enabled on your gateway (which it is by default), you cannot do a route-based VPN on R77.30.&nbsp; Turning off CoreXL will slam all firewall inspection duties (not just VPN-related functions) onto one core no matter how many cores the firewall has.&nbsp; The performance impact of disabling CoreXL will range from minimal to utterly catastrophic depending on the total number of cores on the firewall.</P><P></P><P>If you upgrade the gateway to R80.10, route-based VPNs and CoreXL can be used together.</P><P></P><P>--<BR /> My book "Max Power: Check Point Firewall Performance Optimization" <BR /> now available via <A href="http://maxpowerfirewalls.com" target="_blank">http://maxpowerfirewalls.com</A>.</P></BODY></HTML> Sun, 15 Oct 2017 19:54:24 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7491#M902 Timothy_Hall 2017-10-15T19:54:24Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7492#M903 <HTML><HEAD></HEAD><BODY><P>Hi Danny,</P><P></P><P>I'll give your suggestions a try.</P><P></P><P>Thanks</P><P>Ron</P></BODY></HTML> Sun, 15 Oct 2017 21:39:58 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7492#M903 Ron_N 2017-10-15T21:39:58Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7493#M904 <HTML><HEAD></HEAD><BODY><P>Hi Tim,</P><P></P><P>Correct. I have route based VPN setup on Azure. The new gen VPN Gateways are only route based however applying IKE policy to the Azure connection enables gateway to establish connection to policy based devices.</P><P></P><P>I've also logged a support case with Azure support.</P><P></P><P>Thanks</P><P>Ron</P></BODY></HTML> Sun, 15 Oct 2017 21:47:46 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7493#M904 Ron_N 2017-10-15T21:47:46Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7494#M905 <HTML><HEAD></HEAD><BODY><P>Hi Danny, thanks for your suggestion, that got the VPN working.</P><P></P><P>Regards</P><P>Ron</P></BODY></HTML> Mon, 16 Oct 2017 01:16:25 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7494#M905 Ron_N 2017-10-16T01:16:25Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7495#M906 <HTML><HEAD></HEAD><BODY><P>Great. I updated our <A _jive_internal="true" href="https://community.checkpoint.com/docs/DOC-2272">Site-to-Site VPN Compatibility Matrix</A> accordingly.</P></BODY></HTML> Mon, 16 Oct 2017 07:00:24 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7495#M906 Danny 2017-10-16T07:00:24Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7496#M907 <HTML><HEAD></HEAD><BODY><P>Hi Ron,</P><P></P><P>I was wondering if you were able to share the configuration you used connecting to the Azure <STRONG>Basic</STRONG> VPN?</P><P></P><P>Many thanks</P><P>James</P></BODY></HTML> Mon, 07 Jan 2019 23:35:03 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7496#M907 James_Mcintosh 2019-01-07T23:35:03Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7497#M908 <HTML><HEAD></HEAD><BODY><P>Hey James,</P><P></P><P>Its been over a year, I don't really remember the configuration I had, but let me dig through my notes and see what I find out. I don't have access to checkpoint device at present but happy to spin up a quick trial on AWS to test it out with Azure Basic GW <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P></P><P>Thanks</P><P>Ron</P></BODY></HTML> Tue, 08 Jan 2019 21:32:07 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7497#M908 Ron_N 2019-01-08T21:32:07Z https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7498#M909 <HTML><HEAD></HEAD><BODY><P>Hi Ron,</P><P>That would be amazing if you could help me out!<BR />Many thanks</P><P>James</P></BODY></HTML> Tue, 15 Jan 2019 03:31:40 GMT https://community.checkpoint.com/t5/General-Topics/encryption-failure-Ike-version-ikev2-not-supported-for-peer/m-p/7498#M909 James_Mcintosh 2019-01-15T03:31:40Z