This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
K_R_V
Collaborator
‎2024-02-09 01:45 AM
Jump to solution

Ikev2 IDr : Behavior change in Version R81.10.08

After upgrading 1570R firewalls from R81.10.05 b254 to R81.10.08 b711 ,  recommended by Check Point, we experienced outages on VPNs with third-party entities, primarily Cisco.

We noticed the IKEv2 IDr field transitioned from containing the IP address to now containing the hostname of the gateway. The problem was resolved by downgrading, and a comparison of the two "legacy_ikev2.xmll" files revealed the difference. In our case, the remote end was not able to change the field as this was a mandatory requirement.

https://support.checkpoint.com/results/sk/sk33822 scenario 1 does not seems to be applicable on spark devices.

TAC case is open, so normally, in 4 months, we will have a solution ! Keep this in mind when upgrading to this version when having VPN's with 3th parties .

0 Kudos
1 Solution

Accepted Solutions
K_R_V
Collaborator
‎2024-03-05 07:24 AM
In response to K_R_V
Jump to solution

It is now documented : https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Conf... 

In the R81.10.X releases, this feature is available starting from the R81.10.10
version. 

Quantum Spark Spark gateways can configure IKEv2 ID Type to one of these:

  • An FQDN (this is the default).
  • An IP address (determined dynamically, based on the OS routing) - in R81.10.10 and
    higher.

View solution in original post

7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-02-09 03:01 AM
Jump to solution

When did you first perform the upgrades, per sk181079 can you confirm if it was impacting a GA build 1608 / 1683 vs something provided privately by TAC?

CCSM R77/R80/ELITE
0 Kudos
K_R_V
Collaborator
‎2024-02-09 03:43 AM
In response to Chris_Atkinson
Jump to solution

Upgrades are recently done and Build 1711 was provided by TAC as it resolves at least 3 issues we have with the 1683 build. 

  • VMAC and G-ARP
  • CPHAMCSET PNOTE
  • Memory issues 

 

 

0 Kudos
ptuttle_2
Contributor
‎2024-02-13 06:05 AM
In response to K_R_V
Jump to solution

We can't even get a simple BGP peering up with this code.

The versions tested on the 1595r

R81.10.08  …558  (…683)  (…610)  ( BGP NOT Established)

Versions on the 1570r

R81.10.05  …254   (BGP Established_

R81.10.08 ….683   (BGP NOT Established)

 

Something is up with code. 

0 Kudos
Pedro_Espindola
Advisor
‎2024-02-16 01:04 PM
Jump to solution

Thank you for the heads up! It seems to be following on the same steps of enterprise Gaia, which also changed the behavior to use the main IP instead of the external IP.

I would recommend overriding the ID in the tunnel or in the global config first and then upgrade.

the_rock
MVP Platinum
MVP Platinum
‎2024-02-16 02:34 PM
In response to Pedro_Espindola
Jump to solution

That sounds right to me.

Best,

Andy

Best,
Andy
0 Kudos
K_R_V
Collaborator
‎2024-02-20 05:23 AM
Jump to solution

The problem can be resolved following scenario 2 in sk108600 (https://support.checkpoint.com/results/sk/sk108600) :

To enable IKE MM-ID based on routing on the Security Gateway:

  1. Run:
    ckp_regedit -a SOFTWARE/CheckPoint/VPN1 BestRoutingSenderIP True
  2. Run:
    cpstop ; cpstart

It is currently unknown why this behavior has changed in this version. The documentation still indicates that the default setting is the IP address, not the FQDN.

K_R_V
Collaborator
‎2024-03-05 07:24 AM
In response to K_R_V
Jump to solution

It is now documented : https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Conf... 

In the R81.10.X releases, this feature is available starting from the R81.10.10
version. 

Quantum Spark Spark gateways can configure IKEv2 ID Type to one of these:

  • An FQDN (this is the default).
  • An IP address (determined dynamically, based on the OS routing) - in R81.10.10 and
    higher.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events