This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
MVP Silver
MVP Silver
a week ago

Enabling IKEv2 on Windows clients

So according to sk166415, to enable IKEv2 on Windows clients you need to make a registry change;

configure disable_ikev2 to 0 in HKLM\SOFTWARE\WOW6432Node\CheckPoint\TRAC, the reboot the device.

 

Is this the only way?  Can't be done via trac_client_1.ttm? Or trac.config?

 

thanks

(1)
6 Replies
Aaron-pr
Explorer
a week ago

I have the exact same question and went through our account rep's technical expert trying to come up with a solution but nothing so far. With the latest CVE, Check Point needs to do an emergency release of the Check Point Endpoint Security VPN for Windows with IKEv2 enabled by default (or at least put a way to enable it within the GUI). Expecting that all users/situations will have the ability to modify the registry is not acceptable.  

PhoneBoy
Admin
Admin
a week ago

Right now, the registry is the only way to enable IKEv2 on the Remote Access clients...which also disables IKEv1 support.
Hopefully this will be addressed soon.

0 Kudos
Lubomir_Cerny
Contributor
a week ago
In response to PhoneBoy

So does it means, that gateway has possibility "Prefer ikev2, support ikev1" but client has only one option ? ie "ikev2 only" or "ikev1 only" ?

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to Lubomir_Cerny

That's what at least one report on the community suggested.
Additional confirmation would certainly be helpful. 

0 Kudos
jorgeluiznim
Contributor
a week ago

As a workaround, I created a Compliance Rule under the policy (Application Control > Compliance & Posture > Compliance Rulebase) to automatically validate and remediate the registry setting required for IKEv2.

The rule checks Windows endpoints and verifies the existence/value of the registry key:

HKLM\SOFTWARE\WOW6432Node\CheckPoint\TRAC\disable_ikev2

If the key is not configured as required, the Compliance Rule performs a remediation action, updating the registry value to:

disable_ikev2 = 0

Configuration details:

  • Operating System: Windows All
  • Action Type: Applications/Files Check
  • Registry Check: Enabled
  • Registry Path: HKLM\SOFTWARE\WOW6432Node\CheckPoint\TRAC\disable_ikev2
  • Registry Value: 0
  • Action: Update
  • Registry Type: REG_DWORD
  • Validation: Check that the registry entry exists

This approach avoids the need to manually modify the registry on each endpoint and provides centralized enforcement through the Compliance Blade. A reboot is still required for the endpoint to fully apply the IKEv2 configuration, as described in SK166415.

Lubomir_Cerny
Contributor
a week ago
In response to jorgeluiznim

This or GPO is OK for internal users but can not be used for our external VPN users/contractors.
I hope future client versions will solve this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events