This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
trimalshriram19
Participant
‎2024-10-21 07:34 AM

Traditional Mode Configuration in checkpoint VPN

Hi ,

I need to do below changes on the Traditional Mode Configuration in checkpoint VPN .

Phase 1 and 2 Algorithm

DPD Action 

DPD Delay

DPS timeout

Can anyone suggest , how we can do those changes as I am in R81.20 version

 

0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-10-21 08:04 AM

Afaik, since R77.30 you are no more able to create or edit Traditional Mode Policies, In https://support.checkpoint.com/results/sk/sk171035 you can read details. I would suggest to contact CP TAC as this is a very special case...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2024-10-21 02:24 PM

What precise reason do you still use Traditional Mode VPN?
DPD support was added in R77.10, which is well after Traditional Mode VPN were formally deprecated in the NGX (R60) release.
What you're asking for, I suspect, is not possible.

trimalshriram19
Participant
‎2024-10-22 03:16 AM
In response to PhoneBoy

Hi Phone,

Thanks for the reply.

We are having old VPN is in place and now vendor came us to do few changes at VPN end for more security.

Thanks

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-10-22 07:05 AM
In response to trimalshriram19

I would suggest to contact CP TAC to review the situation and provide an easy solution here!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
‎2024-10-22 07:19 AM
In response to trimalshriram19

I agree with @G_W_Albrecht , just call TAC and see what can be done to fix this.

Andy

_Val_
Admin
Admin
‎2024-10-22 07:29 AM
In response to the_rock

I don't see how TAC can help someone to move forward from a non-supported tech. It looks more like a PS project. However, I would suggest re-hauling the VPN solution and moving to supported features. There is not much justification for using Traditional VPN at all.

the_rock
Legend
Legend
‎2024-10-22 07:40 AM
In response to _Val_

I would say that sk Guenther provided is a good start. I just ran it in my lab and Im sure it can help.

Andy

https://support.checkpoint.com/results/sk/sk171035

 

Command from the lab:

[Expert@CP-MANAGEMENT:0]# mgmt_cli show package name "R81.20-CP-LAB-POLICY"

PhoneBoy
Admin
Admin
‎2024-10-22 10:05 AM
In response to _Val_

The main reasons come customers were still using Traditional Mode VPN have been solved:

  1. Multiple encryption algorithms per community (you can override for specific peers in the community)
  2. Exclude specific traffic from VPN (supported from at least R77.30)
  3. Allow granular encryption domain per community (added in R80.40)

Traditional Mode VPN also isn't accelerated with SecureXL, if I recall correctly (thus worse performance).
So, yeah, there really isn't a reason to run Traditional Mode VPN anymore.

 

G_W_Albrecht
Legend Legend
Legend
‎2024-10-23 03:22 AM
In response to _Val_

There could be a possible workaround like tweaking Trad VPN Config using dbedit that is only known to TAC...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
‎2024-10-23 04:01 AM
In response to G_W_Albrecht

Good point...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events