Dear all,

We are currently facing issues when building a S2S VPN to a Cisco ASA. Due to a IPS / IDS security applicance between the two gateways, IKE packets were dropped because there are fragmentated.

• The tunnel is / should be initiated by the Cisco ASA.
• When testing the initiation from the CheckPoint, IKE packets fare ariving at the Cisco ASA but the replies are getting blocked.

As a workaround, the security appliance has been adjusted to not block the fragemented packets in this context, but we have to find a solution for this.

The adminstrators of the remote gateways are passing the buck to us right now. They state that the Cisco is supporting and trying to use the mechanism provided / described in RFC 7383 (https://www.rfc-editor.org/rfc/rfc7383.html) but the CheckPoint is not willing to negotiate the IKE fragmentation.

So two questions arise.

• Does CheckPoint support the RFC 7383 and in case it does, must it be enabled in the configuration. Unfortunately was I not able to find anything concerning this.
• Have you ever faced a similar issue when connecting to a Cisco ASA and I case you have, how have you fixed the issue?

I found the https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... but this does not really give a hint for what I am looking for, atleast for my understanding.

Anyway I wonder if this RFC / the support of the RFC is really the issue. Why?

• When the IDS / IPS is active we see no packet at all from the remote gateway. How can the (missing?) support for the RFC on the CheckPoint then be the issue?
• Even if the CheckPoint does not support the RFC. Why does the Cisco ASA not send smaller packets by configuring the local input / interface settings?
• The VPN is established via 500/udp and the usage of PSK. The initial packets should not be too big.

Thanking you in advance.