Who rated this post

I did extensive research on this topic some time ago... I did lots of testing, not just reading...

If you are using CheckPoint Remote Access VPN Client (or full Harmony EndPoint Client) E80.65 or newer then you can ignore the dire warnings in the SmatConsole about needing DH Group 2 and go with the settings below (you can safely disable everything else):

Most compatible (Gaia R81.xx, R82.xx):

Phase 1:
Encryption Algorithm: AES-256
Data Integrity: SHA256
DH Group: 14

Phase 2:
Encryption Algorithm: AES-256
Data Integrity: SHA256

(Capsule connect for iOS doesn't support SHA384 or SHA512. SHA256 works on everything)

Version E88 of the Remote Access Client and newer allow you to use DH Groups 15, 19, 20 and 21.
(DH Groups 22, 23 & 24 should not be used as they use potentially unsafe primes).

For extra Security, you can use DH Group 21 with R82 and later version of Check Point (Gaia).
(I found no downside at all to using: DH Group 21 when the gateway and endpoint support it).

Note that even the newest (E89.10) Windows Remote Access VPN Client still needs the Registry gludge to enable IKEv2.
When IKEv2 is enabled on the Windows Client, it can't fallback to IKE v1 (Enabling IKEv2, turns off IKEv1).

Capsule Connect for iOS works with IKEv1 or IKEv2 transparently. Windows Remote Access VPN clients do not.


Better security (for Gaia R82 and later) and still offering very broad compatibility:

Phase 1:
Encryption Algorithm: AES-256
Data Integrity: SHA256
DH Group: 21

Phase 2:
Encryption Algorithm: AES-256
Data Integrity: SHA256

One day (I hope) CheckPoint will remove the need to use the Registry Hack for enabling IKEv2 support in the Windows Remote Access VPN Client...

The encryption defaults really should be a lot better than they are in 2026... They keep saying they are going to overhaul the defaults, but it didn't happen in the R82 or R82.10 release sadly.