This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ray_Hugh
Participant
‎2018-03-06 11:58 AM

VPN tunnel encryption method

I'm not sure if this is in the right section, but this is the closest I can find.

I am trying to set up an IKE v2 tunnel on R75.20.  I see inbound and outbound SAs when I use the vpn tu command.  However, in the log, it shows as dropped because there is no valid SA, and I see that it is trying to do AES256/SHA1 even though it's set up as AES256/SHA256.

7 Replies
AlekseiShelepov
Advisor
‎2018-03-06 01:12 PM

Like this?

Traffic does not pass over Site-to-Site VPN tunnel when choosing SHA-256 for IKE Phase 2 negotiation 

0 Kudos
Kim_Moberg
Advisor
‎2018-06-12 09:56 AM
In response to AlekseiShelepov

Hi Alex

Is this also an issues r80.10 take 103?

I have issues when I 3 party wants to use IkeV2 only and with AES-256/SHA256 DH 19 both ike and ipsec phases.

Will work around also work for this r80.10 release?


Best Regards
Kim
0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-12 11:55 AM
In response to Kim_Moberg

Shouldn't be as the issue in the SK was that SHA256 wasn't supported for VPN.

You might need to open a TAC case to troubleshoot.

0 Kudos
Ray_Hugh
Participant
‎2018-03-06 01:49 PM

Well, the solution sounds great, but the problem is my customer wants ONLY SHA256. I can set mine to SHA1 or something else other than SHA256 like the KB says, but that won't complete the SA.  There are no SAs when I look in "vpn tu".  There are SAs only when I use SHA256.

0 Kudos
AlekseiShelepov
Advisor
‎2018-03-06 02:17 PM
In response to Ray_Hugh

There is another possible solution in the sk:

This problem was fixed. The fix is included in:

Check Point R75.40

Check Point recommends to always upgrade to the most recent version...

For R75.20 and R75.30, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.

You have created this thread in All Places > Management (R80.10) > Discussions. Do you have R80.10 version installed somewhere? Is R75.20 on the gateway on your side, from which you configure VPN? Do you have a tunnel with SHA256 working on this R75.20 gateway with other peers? 

You can try to establish and test this tunnel on SHA1 (from both ends) first. If it works and then stops working after switching to SHA256, most probably it is because R75.20 has known issues with SHA256. This software version is pretty old:

Major VersionGeneral AvailabilityAffected VersionsSupport Until
Check Point R75.20August 2011R75.20, R75.30August 2015

   

   

0 Kudos
Ray_Hugh
Participant
‎2018-03-06 02:24 PM

We are planning to upgrade to R77.30, but I am not sure when that is going to happen.  At the moment, I am checking to see if the hotfix will fix the issue (working through our support to get that).  As for this being in the R80.10 group, I do apologize for that, but there was nothing else that was anywhere close to this topic.  And I know it does work with IKE v2 and SHA1, if it's set up on both sides.

Thanks for the suggestions.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-06 02:38 PM
In response to Ray_Hugh

The correct place to post about this is General Product Topics‌ which is where I moved this.

For future reference, see also: All Products and Where To Post About Them 

As noted above R75.20 is End of Support.

While there may be a hotfix for this issue, if it happens to be incompatible with your particular environment, your only choice to resolve the issue is to upgrade.

0 Kudos