Re: Is traditional VPN mode supported in R80.20?

Nick_Doropoulos · ‎2018-09-14

Hi guys,

I know that in theory, R80.20 should support traditional VPN mode but that it doesn't support the option to convert traditional to simplified.

However, after exporting the database to R80.20 with the instructions outlined in this link (Installation and Upgrade Guide R80.20.M1 ), I am then getting the following output:

Title: Firewall policies with Traditional VPN mode

-----

* Description:

Traditional mode refers to legacy VPN policy, which was replaced by Simplified VPN (first introduced at 2002 in version NG FP3). Please change the below policies by using one of the methods:

Convert your Firewall policies: In SmartConsole, go to Policy > Convert To > Simplified VPN, and follow the wizard instructions.
In your Firewall policy, delete rules that contain the actions Encrypt or Client Encrypt.

If you have a specific case in which you have to use Traditional VPN mode, please contact Check Point support.

Could anybody be able to provide an explanation for this please?

Many thanks.

Danny · ‎2018-09-14

Traditional VPN mode is not supported anymore.

See here: https://community.checkpoint.com/thread/8978

Lari_Luoma · ‎2018-09-14

Just curious, but why would you like to use traditional mode VPN? I don't remember having seen that in years...

Maarten_Sjouw · ‎2018-09-16

We have one customer with around 70-80 VPN with all kinds of third parties that are setup as Tradintional a long time ago. This is very hard to convert to simplified mode. Most of these VPN's are used for EDI traffic and have a high need for uptime. If we were to replace this environment, it would be a per VPN migration, a lot of work and a lot of risks.

Regards, Maarten

PhoneBoy · ‎2018-09-14

To add a little color:

You cannot create any Traditional Mode VPN configurations in R80.x.
If you migrate a configuration to R80.x with Traditional Mode VPN configuration, you will be allowed to use it.
The wizard to convert from Traditional to Simplified Mode VPN was not ported to R80.x.
- Do the conversion to Simplified Mode prior to migrating to R80.x or you will have to do it manually after the fact.

Richard_Farnham · ‎2019-08-28

"do it manually" - what is meant by manually here: exporting and recreating rules by cli or something else? I've got a somewhat large production rulebase on R80.20 that doesn't use VPN, so the traditional mode went unnoticed through many migrations. (sorry for replying to this old thread)

Gero_Stolle · ‎2019-09-11

Hi Richard,
... and your are right 🙂 Just today having a customer trying to copy the rules from traditional to a new simplified policy, and got an error

2019-09-11 12_27_24-Gesendete Elemente - gero.stolle@controlware.de - Outlook.jpg

and this under actual JHF and R80.20 so seems to be a bug here, because the mentioned copy direction is wrong too
I think this will end in a case 🙂

And sory for the late reply too. But I think it's ok for All who searching in the threads to find ideas 🙂

Werner_69 · ‎2020-05-04

Hey Gera,

an did you find a solution to copy rules from one to the other ?

PhoneBoy · ‎2020-05-10

Wonder if something like the following would work: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...

Nick_Doropoulos · ‎2018-09-16

Thank you all very much.

Are you a member of CheckMates?

Is traditional VPN mode supported in R80.20?