In our R81 lab we encountered an interesting issue with CAPI certificate enrollment for new VPN users.
Existing VPN users don't experience this issue.
When using SHA256 for data integrity the VPN site creation within the VPN client succeeds, but afterwards the VPN connection to the R81 VPN server fails. With SHA1 connecting to the VPN server succeeds.
TAC support writes:
According to the logs, our failure is most probably related to the hashing algorithm, which is currently SHA256
[ 5048 8084][15 Mar 17:32:00][IKE] create_MM5(certificates authentication): Failed to sign hash (-996)
[ 5048 8084][15 Mar 17:32:00][rais] [DEBUG] [RaisMessages::CreateMessageSet(s)] message: (msg_obj
:def_msg ("Internal error; connection failed. More details may be available in the logs")
I suggest changing the data integrity hashing algorithm to SHA1 instead
- Go to 'Global Properties > Remote Access > VPN – Authentication and Encryption > Encryption algorithms > IKE Security Association (Phase 1)'.
- Make sure that "SHA1" is selected under "Support Data Integrity".
- Select "SHA1" under "Use Data Integrity".
- Click "OK".
- Install policy.
Why doesn't Check Point R81 support the more secure SHA256 algorithm for VPN Remote Access for new users, which was working in previous versions? Tested with Endpoint Security Client E82.40 (working), E83.30 & E84.50 not working.