Check Point 77.30 VPN S2S

Arturxr · ‎2025-11-27

Hello, I need to set up a VPN between Router 1 and Check Point 77.30 so that we can access Private Net 2 and Private Net 3 from Private Net 1.

Check Point has access to these networks.

As far as I understand, our only option for this is to set up a classic S2S (Domain-Based VPN).

The Route Based VPN option is out of the question, as 77.30 has limitations and this setting will not work on this version, otherwise we will have to disable CoreXL, which could lead to a denial of service.

Could you please tell me if I understand correctly that this way I can easily set up a VPN by adding the Private Net 2 and Private Net 3 subnets to the encryption domain on Check Point 77.30?

emmap · ‎2025-11-27

Yes, that is a very old, very not supported version, I don't remember about disabling CoreXL for VTIs back then (it's certainly not a limitation in current versions) but you definitely don't want to be doing that. For domain based VPN, yes the two private nets need to be in the encryption domain.

PhoneBoy · ‎2025-12-01

sk108958 and sk61701 mention that R77.30 and earlier require disabling CoreXL to use VTIs.
And, of course, I echo the sentiments to upgrade to a supported version.

HeikoAnkenbrand · ‎2025-11-28

R77.30 has been out of support since September 2019 😉

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Lesley · ‎2025-11-28

Time to scrap this firewall , sorry but this is to old. To worry about DoS should be lowest item on the list 😉

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock · ‎2025-11-28

Put it this way. Yes, R77.30 is totally unsupported, but way domain-based VPN works with CP has not changed in long time. Mind you, before R80, there was a known thing with Cisco S2S VPN where supernet had to be disabled, since CP would try to send largest possible subnet, though say Cisco would have been expecting to receive /24.

So, as @emmap had correctly mentioned, just ensure right subnets are in corresponding VPN domains and you should be good.

If it fails, make sure to go to Guidbedit and search for valie ike_use_largest_possible_subnet and set it to false, if its set to true.

Hope that helps.

Good luck!

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2025-11-30

@Arturxr

Not sure if these values even exist in guidbedit in R77.30, but you can check.

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

Best,
Andy
"Have a great day and if its not, change it"

Arturxr · ‎2025-11-30

Could you please tell me if it's possible to set it up so that I can build an L2TP tunnel to a checkpoint with IPSec encryption, i.e. configure Cisco as a client?

Chris_Atkinson · ‎2025-11-30

Typically the legacy application where we see this is the Windows L2TP client (or Android/iOS) connecting to a Check Point gateway.

CCSM R77/R80/ELITE

Vincent_Bacher · ‎2025-11-30

As several other Mates have already pointed out, R77.30 has been out of support for many years. I honestly can’t think of any scenario today where it still makes sense to invest time and effort into this version.

So I’m genuinely curious:
Why do you specifically need a solution on R77.30?

From the community’s perspective, the natural first step would normally be to migrate to a supported release and then look at a technical solution on a current platform.

It would help a lot to understand the background or constraints that make R77.30 a requirement here. Once we know that, we can provide more targeted guidance.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock · ‎2025-12-01

Im sure it might be possible, but as everyone else had said, R77.30 is totally obsolete, so to me, it would be pointless to even entertain the idea.

Best,
Andy
"Have a great day and if its not, change it"

_Val_ · ‎2025-12-01

The only reasonable way forward is to remove the obsolete Security Gateway and use a supported version.

Are you a member of CheckMates?

Check Point 77.30 VPN S2S