fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Firewalls
  • Check Point
  • Check Point - Upgrading to R65 from R55 causes issues with Traditional Mode based VPN`s

Check Point - Upgrading to R65 from R55 causes issues with Traditional Mode based VPN`s

Issue

 

Check Point have now replaced the “Support Key Exchange for subnets” with “VPN Tunnel Sharing” for Traditional mode VPN`s.

The problem this causes is when you upgrade to R65 is that the “Support Key Exchange for subnets”  setting isn’t transferred. With all Traditional VPN`s being set to "One VPN tunnel per subnet

pair" as default.

 

You may experience the following error if “One VPN Tunnel per each pair of hosts” is not ticked, but required,

 

                 IKE: Quick Mode Received Notification from Peer: no proposal chosen

 

Solution

 

To prevent any issues prior to upgrade note whether the “Support Key Exchange for subnets” is enabled on the interoperable device. Once you have upgraded the Check Point package you can make the following change in R65 with reference to the previous setting that was noted before the upgrade.

 

R55 - Support key exchange for subnets  = Ticked      ---> R65 – "VPN Tunnel Sharing | Custom Settings | One VPN Tunnel per subnet pair" = Ticked
R55 - Support key exchange for subnets  = Unticked   --->  R65 – "VPN Tunnel Sharing | Custom Settings | One VPN Tunnel per each pair of hosts" = Ticked

Tags: VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001