https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/113883#M9035 <P>We’ve supported SHA-256 for many many versions.<BR />Seems like some issue comes up with CAPI which is also…not new.<BR />Did TAC suggest:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116997&amp;partition=Advanced&amp;product=Endpoint" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116997&amp;partition=Advanced&amp;product=Endpoint</A></P> Thu, 18 Mar 2021 02:23:18 GMT PhoneBoy 2021-03-18T02:23:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/113828#M9034 <P>In our R81 lab we encountered an interesting issue with CAPI certificate enrollment for <STRONG><FONT color="#FF0000"><U>new</U> VPN users</FONT></STRONG>.<BR /><STRONG><FONT color="#339966">Existing VPN users don't experience this issue.</FONT></STRONG></P> <P>When using SHA256 for data integrity the VPN site creation within the VPN client succeeds, but afterwards the VPN connection to the R81 VPN server fails. With SHA1 connecting to the VPN server succeeds.</P> <P><STRONG>TAC support writes:</STRONG></P> <P><FONT color="#008080"><SPAN>According to the logs, our failure is most probably related to the hashing algorithm, which is currently SHA256<BR /><BR />[ 5048 8084][15 Mar 17:32:00][IKE] create_MM5(certificates authentication): Failed to sign hash (-996)<BR />[ 5048 8084][15 Mar 17:32:00][rais] [DEBUG] [RaisMessages::CreateMessageSet(s)] message: (msg_obj<BR />&nbsp;&nbsp; &nbsp;:format (1.0)<BR />&nbsp;&nbsp; &nbsp;:id (ClipsMessagesInternalError)<BR />&nbsp;&nbsp; &nbsp;:def_msg ("Internal error; connection failed. &nbsp;More details may be available in the logs")<BR />&nbsp;&nbsp; &nbsp;:arguments ()</SPAN></FONT><BR /><BR /><STRONG><FONT color="#008080">I suggest changing the data integrity hashing algorithm to SHA1 instead</FONT></STRONG></P> <OL> <LI><FONT color="#008080"><SPAN>Go to 'Global Properties &gt; Remote Access &gt; VPN – Authentication and Encryption &gt; Encryption algorithms &gt; IKE Security Association (Phase 1)'.</SPAN></FONT></LI> <LI><FONT color="#008080"><SPAN>Make sure that "SHA1" is selected under "Support Data Integrity".</SPAN></FONT></LI> <LI><FONT color="#008080"><SPAN>Select "SHA1" under "Use Data Integrity".</SPAN></FONT></LI> <LI><FONT color="#008080"><SPAN>Click "OK".</SPAN></FONT></LI> <LI><FONT color="#008080"><SPAN>Install policy.</SPAN></FONT></LI> </OL> <P><STRONG>Why doesn't Check Point R81 support the more secure SHA256 algorithm for VPN Remote Access for new users, which was working in previous versions? Tested with Endpoint Security Client <FONT color="#339966">E82.40</FONT> (<EM>working</EM>), <FONT color="#FF0000">E83.30 &amp; E84.50 not working.</FONT></STRONG></P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38469">@amitshr</a>&nbsp;</P> Wed, 17 Mar 2021 15:13:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/113828#M9034 Danny 2021-03-17T15:13:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/113883#M9035 <P>We’ve supported SHA-256 for many many versions.<BR />Seems like some issue comes up with CAPI which is also…not new.<BR />Did TAC suggest:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116997&amp;partition=Advanced&amp;product=Endpoint" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116997&amp;partition=Advanced&amp;product=Endpoint</A></P> Thu, 18 Mar 2021 02:23:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/113883#M9035 PhoneBoy 2021-03-18T02:23:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/113886#M9036 <P>According to the R&amp;D, it seems to be a bug, and it is currently investigated on their end.</P> Thu, 18 Mar 2021 05:26:03 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/113886#M9036 amitshr 2021-03-18T05:26:03Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/117715#M9037 <P>Any Update on this behaviour, may it get fixed in E81?</P> Wed, 05 May 2021 07:36:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/117715#M9037 Christoph_Hornu 2021-05-05T07:36:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/122592#M9038 <P>We hit the same issue with R80.40 JHF236,&nbsp; using machine certificate from CAPI and E84.00 client.<BR />Error messages in trac.log are the same.</P><P>Lowering Data Integrity to SHA1 is a working solution, but hope this bug will get fixed soon.</P> Wed, 30 Jun 2021 12:09:24 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R81-New-VPN-users-unable-to-establish-VPN-via-SHA256/m-p/122592#M9038 Dilian_Chernev 2021-06-30T12:09:24Z