- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
I'm not sure if this is in the right section, but this is the closest I can find.
I am trying to set up an IKE v2 tunnel on R75.20. I see inbound and outbound SAs when I use the vpn tu command. However, in the log, it shows as dropped because there is no valid SA, and I see that it is trying to do AES256/SHA1 even though it's set up as AES256/SHA256.
Is this also an issues r80.10 take 103?
I have issues when I 3 party wants to use IkeV2 only and with AES-256/SHA256 DH 19 both ike and ipsec phases.
Will work around also work for this r80.10 release?
PhoneBoy
Shouldn't be as the issue in the SK was that SHA256 wasn't supported for VPN.
You might need to open a TAC case to troubleshoot.
Well, the solution sounds great, but the problem is my customer wants ONLY SHA256. I can set mine to SHA1 or something else other than SHA256 like the KB says, but that won't complete the SA. There are no SAs when I look in "vpn tu". There are SAs only when I use SHA256.
There is another possible solution in the sk:
This problem was fixed. The fix is included in:
Check Point R75.40
Check Point recommends to always upgrade to the most recent version...
For R75.20 and R75.30, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.
You have created this thread in All Places > Management (R80.10) > Discussions. Do you have R80.10 version installed somewhere? Is R75.20 on the gateway on your side, from which you configure VPN? Do you have a tunnel with SHA256 working on this R75.20 gateway with other peers?
You can try to establish and test this tunnel on SHA1 (from both ends) first. If it works and then stops working after switching to SHA256, most probably it is because R75.20 has known issues with SHA256. This software version is pretty old:
| Major Version | General Availability | Affected Versions | Support Until |
|---|---|---|---|
| Check Point R75.20 | August 2011 | R75.20, R75.30 | August 2015 |
We are planning to upgrade to R77.30, but I am not sure when that is going to happen. At the moment, I am checking to see if the hotfix will fix the issue (working through our support to get that). As for this being in the R80.10 group, I do apologize for that, but there was nothing else that was anywhere close to this topic. And I know it does work with IKE v2 and SHA1, if it's set up on both sides.
Thanks for the suggestions.
PhoneBoy
The correct place to post about this is General Product Topics which is where I moved this.
For future reference, see also: All Products and Where To Post About Them
As noted above R75.20 is End of Support.
While there may be a hotfix for this issue, if it happens to be incompatible with your particular environment, your only choice to resolve the issue is to upgrade.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY