Create a Post
Showing results for 
Search instead for 
Did you mean: 

IKEV2 With Cisco ASA

I have a pair of FW on Azure infrastructure. However, I'm not able to establish VPN using IKEV2 from the checkpoint FW to Cisco ASA.

Anyone set VPN up with Cisco ASA before using IKEv2?




6 Replies

This really is not a lot to go on, but I believe I have done this in the past.

Take a look at this old thread in CPUG:

and see if anything there can be of use to troubleshoot.


My experience with Cisco is that setting up a VPN tunnel is very difficult, because Cisco is very strict with it's configuration.

Most of the time you have a encryption domain mismatch, thus why I would recommend to request the CLI configuration of said Cisco ASA, which will show you how it is exactly configured.

My recommendation is to first configure a (Domain-based) VPN IPSec Tunnel

After that has been setup, see if the tunnel comes up by initiating traffic.

If not, perform an IKE debug and to read it with IKEVIEW (Check Point tool).


If it is a mismatch in encryption domains, you have to modify the user.def to specify exactly what should be negotiated.


The following SK's will help you with the troubleshooting: 

- Location of crypt.def: sk98241

- Location of user.def: sk98239

- Configure encryption domains to negotiate sk108600 - Scenario1

What information is required to troubleshoot the VPN related issues? sk40114

How to generate a valid VPN debug, IKE debug and FW Monitor: sk33327

- IKEView utility: sk30994


Hope this helps!


Kind regards,





Hello Mate,

May thanks for your contribution.

Just to add more context to my question, on the checkpoint FW side, the requirement is to hide our internal LAN and so we’ve been asked to NAT to another Private Subnet so this can be advertised as VPN domain. This looks like Private to Private NAT. The traffic looks like this:

CHECKPOINT LAN (10.151.X.X)---->Private subnet (172.x.x.x/24)Public IP (52.X.X.X)------VPN(IKEv2)----->Public (208.X.X.X)Private subnet (207.x.x.x/24) ASA

Any suggestion on how to make this happen will be of great help.




- use IKEv1

- use lower DH groups for example 5

- use main mode

- check first with PSK

- check same phase 1 and phase 2 settings

- check supernet issues



Or see this SK:

VPN Site-to-Site with 3rd party


I would recommend only lowering the DH group temporary, as this is actual one of the most important component in the IPSec VPN security.
As a best practice, it is now recommended to use DH 14 or higher.
The lower the DH group, the easier the keys can be cracked.