This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ron_N
Explorer
‎2017-10-15 07:55 AM

encryption failure: Ike version: ikev2 not supported for peer

Hi,

I'm trying to setup a Site-to-Site connection between Azure VPN and Checkpoint vSec (R77.30) on AWS.

I was able to setup a connection using Azure Basic gateway with IKEv1.

Now I'm trying to setup between Azure VPN (High Performance) gateway and Checkpoint vSec (R77.30).

High Performance gateway uses IKEv2 and have applied the following IKE policy on Azure Gateway.

Phase 1: AES256, SHA384, DH14, SA 28800

Phase 2: AES256, SHA256, PFS2048, SA 3600

I'm getting the error: encryption failure: Ike version: ikev2 not supported for peer

I'm new to checkpoint. Would be great if someone could tell me what the error means and if IKEv2 is even supported for the above Phase 1 and 2 parameters.

Thanks

Ron

0 Kudos
9 Replies
Danny
Champion Champion
Champion
‎2017-10-15 12:39 PM

I'd recommend the following VPN configuration within Check Point for initial testing:

As Phase 1 SA Lifetime is expressed by Check Point in minutes, while the Phase 2 SA Lifetime is expressed in seconds please make sure to enter 480 min (28800 sec).

If that doesn't help as well, please perform a IKE debug as described in sk112139 together with sk33327.

0 Kudos
Ron_N
Explorer
‎2017-10-15 02:39 PM
In response to Danny

Hi Danny,

I'll give your suggestions a try.

Thanks

Ron

0 Kudos
Ron_N
Explorer
‎2017-10-15 06:16 PM
In response to Danny

Hi Danny, thanks for your suggestion, that got the VPN working.

Regards

Ron

0 Kudos
Danny
Champion Champion
Champion
‎2017-10-16 12:00 AM
In response to Ron_N

Great. I updated our Site-to-Site VPN Compatibility Matrix accordingly.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-10-15 12:54 PM

I'm pretty sure to use IKEv2 with Azure it must be a route-based VPN instead of domain-based.  If you have CoreXL enabled on your gateway (which it is by default), you cannot do a route-based VPN on R77.30.  Turning off CoreXL will slam all firewall inspection duties (not just VPN-related functions) onto one core no matter how many cores the firewall has.  The performance impact of disabling CoreXL will range from minimal to utterly catastrophic depending on the total number of cores on the firewall.

If you upgrade the gateway to R80.10, route-based VPNs and CoreXL can be used together.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Ron_N
Explorer
‎2017-10-15 02:47 PM
In response to Timothy_Hall

Hi Tim,

Correct. I have route based VPN setup on Azure. The new gen VPN Gateways are only route based however applying IKE policy to the Azure connection enables gateway to establish connection to policy based devices.

I've also logged a support case with Azure support.

Thanks

Ron

0 Kudos
James_Mcintosh
Explorer
‎2019-01-07 03:35 PM

Hi Ron,

I was wondering if you were able to share the configuration you used connecting to the Azure Basic VPN?

Many thanks

James

0 Kudos
Ron_N
Explorer
‎2019-01-08 01:32 PM
In response to James_Mcintosh

Hey James,

Its been over a year, I don't really remember the configuration I had, but let me dig through my notes and see what I find out. I don't have access to checkpoint device at present but happy to spin up a quick trial on AWS to test it out with Azure Basic GW 🙂 

Thanks

Ron

0 Kudos
James_Mcintosh
Explorer
‎2019-01-14 07:31 PM
In response to Ron_N

Hi Ron,

That would be amazing if you could help me out!
Many thanks

James

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top