https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/272151#M13716 <P>The connection was established successfully,<BR />your advice helped.</P><P>The following restrictions apply:<BR />the 'IP address for Office Mode' parameter must be set in the Remote Access Users.<BR />Authorization algorithm - only SHA1<BR />PFS Group - only modp1024</P><P>I tried to influence the PFS Group using the parameter,<BR />\\SOFTWARE\\CheckPoint\\VPN1 users_hash_capacity<BR />replacing the value with 2048,<BR />but to no avail — the connection was don't established.</P><P>Can you tell me how to correctly configure the authorization algorithm and PFS Group parameters?</P> Sat, 28 Feb 2026 13:31:34 GMT PavelSpiridonov 2026-02-28T13:31:34Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/271821#M13694 <P>Hello!</P><P>When attempting to establish an L2TP VPN connection between the CP1575 and a third-party router (Mikrotik),<BR />an error occurs: 'IKE failure: Quick Mode New DH key received during Quick Mode from peer, but Perfect Forward Secrecy is not set in the community.'<BR />However, the standard Windows L2TP client successfully connects to the CP1575.</P><P>This issue has already been discussed, but in that case, the client was Linux.</P><P>Unfortunately, the Linux solution isn't applicable in my case:<BR />the Mikrotik L2TP client doesn't have an option to affect the PFS parameter.</P><P>I noticed that the CP1575 has an 'Enable PFS' setting.<BR />However, it's only available under 'Site to Site VPN'.<BR />Is it possible to find such a setting for L2TP VPN?<BR />Perhaps it can be found through the Gaia Clish?</P> Tue, 24 Feb 2026 09:01:28 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/271821#M13694 PavelSpiridonov 2026-02-24T09:01:28Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/271885#M13702 <P>You can try to do the following two in Expert mode:</P> <UL> <LI>ckp_regedit -a \\SOFTWARE\\CheckPoint\\VPN1 force_ra_pfs -n 1</LI> <LI>fw_configload</LI> </UL> <P>These steps are similar to what's in the Remote Access VPN on non-Spark gateways:&nbsp;<A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Remote-Access-Advanced-Configuration.htm#Perfect_Forward_Secrecy_(PFS)" target="_blank">https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Remote-Access-Advanced-Configuration.htm#Perfect_Forward_Secrecy_(PFS)</A><BR />The second step is the "install security policy" step.</P> <P>&nbsp;</P> Tue, 24 Feb 2026 23:42:47 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/271885#M13702 PhoneBoy 2026-02-24T23:42:47Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/272151#M13716 <P>The connection was established successfully,<BR />your advice helped.</P><P>The following restrictions apply:<BR />the 'IP address for Office Mode' parameter must be set in the Remote Access Users.<BR />Authorization algorithm - only SHA1<BR />PFS Group - only modp1024</P><P>I tried to influence the PFS Group using the parameter,<BR />\\SOFTWARE\\CheckPoint\\VPN1 users_hash_capacity<BR />replacing the value with 2048,<BR />but to no avail — the connection was don't established.</P><P>Can you tell me how to correctly configure the authorization algorithm and PFS Group parameters?</P> Sat, 28 Feb 2026 13:31:34 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/272151#M13716 PavelSpiridonov 2026-02-28T13:31:34Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/272251#M13721 <P>Not sure it is possible to do that, unfortunately.<BR />Suggest consulting with TAC.</P> Mon, 02 Mar 2026 17:41:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/CP1575-L2TP-VPN-Remote-Access/m-p/272251#M13721 PhoneBoy 2026-03-02T17:41:12Z