Issue
Check Point have now replaced the “Support Key Exchange for subnets” with “VPN Tunnel Sharing” for Traditional mode VPNs.
The problem this causes is when you upgrade to R65 is that the “Support Key Exchange for subnets” setting isn’t transferred. With all Traditional VPN`s being set to “One VPN tunnel per subnet
pair” as default.
You may experience the following error if “One VPN Tunnel per each pair of hosts” is not ticked, but required,
IKE: Quick Mode Received Notification from Peer: no proposal chosen
Solution
To prevent any issues prior to upgrade note whether the “Support Key Exchange for subnets” is enabled on the interoperable device. Once you have upgraded the Check Point package you can make the following change in R65 with reference to the previous setting that was noted before the upgrade.
R55 – Support key exchange for subnets = Ticked —> R65 – “VPN Tunnel Sharing | Custom Settings | One VPN Tunnel per subnet pair” = Ticked
R55 – Support key exchange for subnets = Unticked —> R65 – “VPN Tunnel Sharing | Custom Settings | One VPN Tunnel per each pair of hosts” = Ticked
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial