This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PavelSpiridonov
Participant
‎2026-02-24 01:01 AM
Jump to solution

CP1575 L2TP VPN Remote Access

Hello!

When attempting to establish an L2TP VPN connection between the CP1575 and a third-party router (Mikrotik),
an error occurs: 'IKE failure: Quick Mode New DH key received during Quick Mode from peer, but Perfect Forward Secrecy is not set in the community.'
However, the standard Windows L2TP client successfully connects to the CP1575.

This issue has already been discussed, but in that case, the client was Linux.

Unfortunately, the Linux solution isn't applicable in my case:
the Mikrotik L2TP client doesn't have an option to affect the PFS parameter.

I noticed that the CP1575 has an 'Enable PFS' setting.
However, it's only available under 'Site to Site VPN'.
Is it possible to find such a setting for L2TP VPN?
Perhaps it can be found through the Gaia Clish?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2026-02-24 03:42 PM
Jump to solution

You can try to do the following two in Expert mode:

  • ckp_regedit -a \\SOFTWARE\\CheckPoint\\VPN1 force_ra_pfs -n 1
  • fw_configload

These steps are similar to what's in the Remote Access VPN on non-Spark gateways: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content...
The second step is the "install security policy" step.

 

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2026-02-24 03:42 PM
Jump to solution

You can try to do the following two in Expert mode:

  • ckp_regedit -a \\SOFTWARE\\CheckPoint\\VPN1 force_ra_pfs -n 1
  • fw_configload

These steps are similar to what's in the Remote Access VPN on non-Spark gateways: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content...
The second step is the "install security policy" step.

 

PavelSpiridonov
Participant
‎2026-02-28 05:31 AM
In response to PhoneBoy
Jump to solution

The connection was established successfully,
your advice helped.

The following restrictions apply:
the 'IP address for Office Mode' parameter must be set in the Remote Access Users.
Authorization algorithm - only SHA1
PFS Group - only modp1024

I tried to influence the PFS Group using the parameter,
\\SOFTWARE\\CheckPoint\\VPN1 users_hash_capacity
replacing the value with 2048,
but to no avail — the connection was don't established.

Can you tell me how to correctly configure the authorization algorithm and PFS Group parameters?

0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-02 09:41 AM
In response to PavelSpiridonov
Jump to solution

Not sure it is possible to do that, unfortunately.
Suggest consulting with TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events