topic Re: Ikev2 IDr : Behavior change in Version R81.10.08 in Spark Firewall (SMB)

Ikev2 IDr : Behavior change in Version R81.10.08

K_R_V — Wed, 06 Mar 2024 13:10:43 GMT

After upgrading 1570R firewalls from R81.10.05 b254 to R81.10.08 b711 , recommended by Check Point, we experienced outages on VPNs with third-party entities, primarily Cisco.

We noticed the IKEv2 IDr field transitioned from containing the IP address to now containing the hostname of the gateway. The problem was resolved by downgrading, and a comparison of the two "legacy_ikev2.xmll" files revealed the difference. In our case, the remote end was not able to change the field as this was a mandatory requirement.

https://support.checkpoint.com/results/sk/sk33822 scenario 1 does not seems to be applicable on spark devices.

TAC case is open, so normally, in 4 months, we will have a solution ! Keep this in mind when upgrading to this version when having VPN's with 3th parties .

Re: Ikev2 IDr : Behavior change in Version R81.10.08

Chris_Atkinson — Fri, 09 Feb 2024 11:14:23 GMT

When did you first perform the upgrades, per sk181079 can you confirm if it was impacting a GA build 1608 / 1683 vs something provided privately by TAC?

Re: Ikev2 IDr : Behavior change in Version R81.10.08

K_R_V — Fri, 09 Feb 2024 11:43:28 GMT

Upgrades are recently done and Build 1711 was provided by TAC as it resolves at least 3 issues we have with the 1683 build.

VMAC and G-ARP
CPHAMCSET PNOTE
Memory issues

Re: Ikev2 IDr : Behavior change in Version R81.10.08

ptuttle_2 — Tue, 13 Feb 2024 14:05:07 GMT

We can't even get a simple BGP peering up with this code.

The versions tested on the 1595r

R81.10.08 …558 (…683) (…610) ( BGP NOT Established)

Versions on the 1570r

R81.10.05 …254 (BGP Established_

R81.10.08 ….683 (BGP NOT Established)

Something is up with code.

Re: Ikev2 IDr : Behavior change in Version R81.10.08

Pedro_Espindola — Fri, 16 Feb 2024 21:04:25 GMT

Thank you for the heads up! It seems to be following on the same steps of enterprise Gaia, which also changed the behavior to use the main IP instead of the external IP.

I would recommend overriding the ID in the tunnel or in the global config first and then upgrade.

Re: Ikev2 IDr : Behavior change in Version R81.10.08

the_rock — Fri, 16 Feb 2024 22:34:09 GMT

That sounds right to me.

Best,

Andy

Re: Ikev2 IDr : Behavior change in Version R81.10.08

K_R_V — Tue, 20 Feb 2024 13:23:05 GMT

The problem can be resolved following scenario 2 in sk108600 (https://support.checkpoint.com/results/sk/sk108600) :

To enable IKE MM-ID based on routing on the Security Gateway:

Run:
ckp_regedit -a SOFTWARE/CheckPoint/VPN1 BestRoutingSenderIP True
Run:
cpstop ; cpstart

It is currently unknown why this behavior has changed in this version. The documentation still indicates that the default setting is the IP address, not the FQDN.

Re: Ikev2 IDr : Behavior change in Version R81.10.08

K_R_V — Tue, 12 Mar 2024 08:17:31 GMT

It is now documented : https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Configuring-Advanced-Site-to-Site-Settings.htm

In the R81.10.X releases, this feature is available starting from the R81.10.10
version.

Quantum Spark Spark gateways can configure IKEv2 ID Type to one of these:

An FQDN (this is the default).
An IP address (determined dynamically, based on the OS routing) - in R81.10.10 and
higher.