Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
K_R_V
Collaborator
Jump to solution

Ikev2 IDr : Behavior change in Version R81.10.08

After upgrading 1570R firewalls from R81.10.05 b254 to R81.10.08 b711 ,  recommended by Check Point, we experienced outages on VPNs with third-party entities, primarily Cisco.

We noticed the IKEv2 IDr field transitioned from containing the IP address to now containing the hostname of the gateway. The problem was resolved by downgrading, and a comparison of the two "legacy_ikev2.xmll" files revealed the difference. In our case, the remote end was not able to change the field as this was a mandatory requirement.

https://support.checkpoint.com/results/sk/sk33822 scenario 1 does not seems to be applicable on spark devices.

TAC case is open, so normally, in 4 months, we will have a solution ! Keep this in mind when upgrading to this version when having VPN's with 3th parties .

0 Kudos
1 Solution

Accepted Solutions
K_R_V
Collaborator

It is now documented : https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Conf... 

In the R81.10.X releases, this feature is available starting from the R81.10.10
version. 

Quantum Spark Spark gateways can configure IKEv2 ID Type to one of these:

  • An FQDN (this is the default).
  • An IP address (determined dynamically, based on the OS routing) - in R81.10.10 and
    higher.

View solution in original post

7 Replies
Chris_Atkinson
Employee Employee
Employee

When did you first perform the upgrades, per sk181079 can you confirm if it was impacting a GA build 1608 / 1683 vs something provided privately by TAC?

CCSM R77/R80/ELITE
0 Kudos
K_R_V
Collaborator

Upgrades are recently done and Build 1711 was provided by TAC as it resolves at least 3 issues we have with the 1683 build. 

  • VMAC and G-ARP
  • CPHAMCSET PNOTE
  • Memory issues 

 

 

0 Kudos
ptuttle_2
Contributor

We can't even get a simple BGP peering up with this code.

The versions tested on the 1595r

R81.10.08  …558  (…683)  (…610)  ( BGP NOT Established)

Versions on the 1570r

R81.10.05  …254   (BGP Established_

R81.10.08 ….683   (BGP NOT Established)

 

Something is up with code. 

0 Kudos
Pedro_Espindola
Advisor

Thank you for the heads up! It seems to be following on the same steps of enterprise Gaia, which also changed the behavior to use the main IP instead of the external IP.

I would recommend overriding the ID in the tunnel or in the global config first and then upgrade.

the_rock
Legend
Legend

That sounds right to me.

Best,

Andy

0 Kudos
K_R_V
Collaborator

The problem can be resolved following scenario 2 in sk108600 (https://support.checkpoint.com/results/sk/sk108600) :

To enable IKE MM-ID based on routing on the Security Gateway:

  1. Run:
    ckp_regedit -a SOFTWARE/CheckPoint/VPN1 BestRoutingSenderIP True
  2. Run:
    cpstop ; cpstart

It is currently unknown why this behavior has changed in this version. The documentation still indicates that the default setting is the IP address, not the FQDN.

K_R_V
Collaborator

It is now documented : https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Conf... 

In the R81.10.X releases, this feature is available starting from the R81.10.10
version. 

Quantum Spark Spark gateways can configure IKEv2 ID Type to one of these:

  • An FQDN (this is the default).
  • An IP address (determined dynamically, based on the OS routing) - in R81.10.10 and
    higher.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events