This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sx8n20394
Collaborator
yesterday

Remote Access IKEv2 for R81 and R82 Quantum Spark (comments on IKEv1 being deprecated)

So this post is just for everyone who may be pulling their hair out (or what is left of it) regarding the CVE and IKEv2.

I also just wanted to point out that in their CVE article, Checkpoint called IKEv1 deprecated and essentially implies that it shouldn't have been used in the first place. The hilarious part is that it never worked for Remote Access in R81 and is still broken for R82. 🤓Brilliant!

IKEv2 is NOT supported on R81 at all even though it is in the advanced settings. Why they would put it in there and never have it actually capable of working is beyond my comprehension. If you have a locally managed R81 device your only option is to upgrade to the latest firmware because none of the 3 mitigation options are possible (confirmed by TAC).

IKEv2 is broken on R82 (🤣hilarious!). If you turn on IKEv2 you will notice the following behavior (confirmed by others who have posted on here):

1. Drop off exactly after 1 hour and require re-authentication. I have also seen some fun behavior when using Entra SSO where the browser will keep opening authentication tabs at such a rapid pace that the user has to hard boot (awesome!).

2. Drop off at completely random times. (makes getting logs hard😢)

3. Connected remote access clients may not show up in GUI or in CLI using the "PEP S U A" command. I connected myself, looked at both and it didn't show my user connected at all. This is kind of a roll of the dice because I had some users should up and some didn't. Also I would rerun the pep command or refresh the GUI and users would disappear and reappear (magic!).

 

 

(1)
6 Replies
PhoneBoy
Admin
Admin
yesterday

IKEv2 has been supported for Site-to-Site VPN for a while.
Having said that, it shouldn't be offered on R81.10.x for Remote Access if it truly isn't supported.
This option should work on R82 (where maintain supports IKEv2 for Remote Access clients). 

Please PM me the relevant TAC case. 

0 Kudos
ccsjnw
Collaborator
yesterday
In response to PhoneBoy


Nobody is talking about IKEv2 for site to site VPNs!

We are all talking about the very misleading communications coming out of CheckPoint, giving the impression that IKEv1 is deprecated and IKEv2 has been *fully* supported for Windows Remote Access VPN clients for quite sometime, when it absolutely and unequivocally has not.

CheckPoint give the impression that this incident is only affecting customers who have been slow to migrate from IKEv1 to IKEv2, when it’s actually been CheckPoint who have been *very* slow to make IKEv2 work reliably, and have been down-playing the need for IKEv2 for Remote Access VPN clients,

IKEv2 is still *not* natively supported today without the manual Registry Hack.

Please address the misinformation in your communications. There are a lot of angry customers right now.

(1)
PhoneBoy
Admin
Admin
11 hours ago
In response to ccsjnw

Just FYI, the IETF is deprecating IKEv1: https://datatracker.ietf.org/doc/rfc9395/

0 Kudos
sx8n20394
Collaborator
11 hours ago
In response to PhoneBoy

That is fantastic. Maybe Checkpoint should make IKEv2 work for Quantum Spark remote access without tons of bugs. There is a reason why we are complaining. R81 doesn't work with IKEv2 at all. Checkpoint even stated in their SK it is not supported. R82 is super buggy and drops VPN connections. Read my original post instead of posting useless responses that don't pertain to the concerns.

0 Kudos
ccsjnw
Collaborator
yesterday


I completely agree with you.

The CheckPoint narrative about IKEv1 being ‘deprecated’ is very misleading and it’s disrespectful to the technical community who have to support this stuff…

I’m not at all happy about how this incident has been handled or communicated by CheckPoint. I expect better.

0 Kudos
tobiasruf
Explorer
yesterday

We also experience different issues with IKEv2:

The one hour logoff problem.

Connection problems from some WiFi networks in comparison to IKEv1 mode.

Currently we think about switching back. Waiting for TAC if there is a solution available until weekend.

I do not understand what is the currently proposed setup from Checkpoints perspective.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 16 Jun 2026 @ 09:30 AM (BST)

    DDOS MasterClass in London!
    In-Person

    Tue 16 Jun 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    CheckMates Events