This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mlinko
Contributor
‎2025-09-15 02:09 AM

VPN IPSec Tunnel with Sophos IKEv2 Issue

Dear all,

we have an IPSec Tunnel with a customer that has Sophos GW. If we use Ikev1 the tunnel work without a problem, but if we change to IKEv2 then it doesn't work. 

Error on our side: 

invalid Syntax

 

Error on the other side:

invalid SPI

I'd be glad if someone can share their experience with the so called "free Firewall software". No mater which "Software" based Firewall it is, we always have problems with it.

Thank you and kind regards!
Rok

0 Kudos
16 Replies
Danny
MVP Platinum
MVP Platinum
‎2025-09-15 02:49 AM

IKEv2 between VPN gateways of different vendors has been an issue for many years.
I've created a VPN compatibility matrix for Check Point to document our community experience of IKEv2 with other vendors.

the_rock
MVP Diamond
MVP Diamond
‎2025-09-15 03:20 AM
In response to Danny

Nice one @Danny . Btw, does that still apply?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-09-15 03:19 AM

I actually had this issue with large hospital using CP to PAN and it turned out they were using wrong peer ID, since for a long time they used IP from general properties of the CP smart console object, but one day when we did debug and worked with TAC, Tier 3 guy told us that it changed, so they had to use link selection setting.

Just something to verify.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-09-16 08:10 AM

Hey @Mlinko 

Any luck with this?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Mlinko
Contributor
‎2025-09-28 10:18 PM
In response to the_rock

Dear Andy and Danny,

Thank you for your help, I'll let you know how it turned out after a debugging session with a client.

KR
Rok

Mlinko
Contributor
‎2025-09-28 10:47 PM
In response to Mlinko

The NIS2 directive will hit us any time now, that is why we want to "prepare" and reconfigure the VPN Tunnels with our clients to IKEv2.

the_rock
MVP Diamond
MVP Diamond
‎2025-09-29 02:21 AM
In response to Mlinko

I would say its more less the norm these days to use ikev2.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-01 06:31 AM
In response to Mlinko

Hey mate,

Any luck yet with this?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Mlinko
Contributor
‎2025-10-13 12:58 AM
In response to the_rock

No luck at all, the only thing that we need to test ist - One vpn tunnel per GW Pair. Then it's debuging time, but the last time we didn't see anything - actually only that the Encryption Domain is not correct... I don't know what kind of settings are possible on the other side...

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-13 01:05 AM
In response to Mlinko

What are the settings currently?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Mlinko
Contributor
‎2025-10-14 05:18 AM
In response to the_rock

IKE 1
1440  min

IKE 2 

3600s

VPN Tunnel Sharing:
One VPN Tunnel per subnet pair

Preview file
24 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-14 05:28 AM
In response to Mlinko

I would debug both sides and see what gives.

Andy

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2025-10-14 09:02 PM
In response to Mlinko

Btw, any relevant logs from Sophis side?

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Mlinko
Contributor
‎2025-10-14 09:54 PM
In response to the_rock

No, that is the problem! I didn't see any logs from the Sophos side... I don't know how your experience is with the customers/partners but they are usually not willing to give their logs or configurations...

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-15 12:21 AM
In response to Mlinko

Personally, I never have that issue. Any customer I work with is more than willing to send anything needed for troubleshooting. Anyway, that aside, lets see what we can do to try solve this for you.

If there is nothing we can rely on from Sophos side as far as logs, I saw in your description that error showed invalid SPI, which is always 100%, phase 2 issue. Can you double check phase 2 settings? Ensure vpn domains are fine as well.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-09-29 02:18 AM
In response to Mlinko

Sounds good!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events