This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
Champion Champion
Champion
‎2021-03-17 08:13 AM

R81 - New VPN users unable to establish VPN via SHA256

In our R81 lab we encountered an interesting issue with CAPI certificate enrollment for new VPN users.
Existing VPN users don't experience this issue.

When using SHA256 for data integrity the VPN site creation within the VPN client succeeds, but afterwards the VPN connection to the R81 VPN server fails. With SHA1 connecting to the VPN server succeeds.

TAC support writes:

According to the logs, our failure is most probably related to the hashing algorithm, which is currently SHA256

[ 5048 8084][15 Mar 17:32:00][IKE] create_MM5(certificates authentication): Failed to sign hash (-996)
[ 5048 8084][15 Mar 17:32:00][rais] [DEBUG] [RaisMessages::CreateMessageSet(s)] message: (msg_obj
    :format (1.0)
    :id (ClipsMessagesInternalError)
    :def_msg ("Internal error; connection failed.  More details may be available in the logs")
    :arguments ()

I suggest changing the data integrity hashing algorithm to SHA1 instead

  1. Go to 'Global Properties > Remote Access > VPN – Authentication and Encryption > Encryption algorithms > IKE Security Association (Phase 1)'.
  2. Make sure that "SHA1" is selected under "Support Data Integrity".
  3. Select "SHA1" under "Use Data Integrity".
  4. Click "OK".
  5. Install policy.

Why doesn't Check Point R81 support the more secure SHA256 algorithm for VPN Remote Access for new users, which was working in previous versions? Tested with Endpoint Security Client E82.40 (working), E83.30 & E84.50 not working.

@amitshr 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2021-03-17 07:23 PM

We’ve supported SHA-256 for many many versions.
Seems like some issue comes up with CAPI which is also…not new.
Did TAC suggest: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
amitshr
Employee Employee
Employee
‎2021-03-17 10:26 PM
In response to PhoneBoy

According to the R&D, it seems to be a bug, and it is currently investigated on their end.

0 Kudos
Christoph_Hornu
Participant
‎2021-05-05 12:36 AM
In response to amitshr

Any Update on this behaviour, may it get fixed in E81?

0 Kudos
Dilian_Chernev
Collaborator
‎2021-06-30 05:09 AM

We hit the same issue with R80.40 JHF236,  using machine certificate from CAPI and E84.00 client.
Error messages in trac.log are the same.

Lowering Data Integrity to SHA1 is a working solution, but hope this bug will get fixed soon.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events