Support Center > Search Results > SecureKnowledge Details
How to know which VPN encryption suites a Check Point Gateway will offer in Phase 1 and 2 when using the Traditional Mode VPN policy Technical Level
Solution

Background

In Traditional VPN Mode, a single rule, with the Encrypt rule action, deals with both access control and encryption. VPN properties are defined per Security Gateway.

In Simplified VPN Mode, the Security Rule Base deals only with access control. In other words, the Rule Base determines only what is allowed. VPN properties, on the other hand, are dealt with per VPN community.

Phase 1 IKE SA

When the Check Point Gateway uses a Traditional Mode policy, the encryption suites defined are found in the Gateway properties, under the IPsec VPN tab.

The IKE Properties are configured to set the encryption and hashing algorithms the Security Gateway will support if it is the responder (when the IKE negotiation is initiated by the peer).

When the Security Gateway is the initiator, it uses the strongest available encryption suite. In the example above, when the Security Gateway initiates Phase 1, it will use the AES-256 encryption algorithm and the SHA-256 hashing algorithm.

In the usermode process (VPND), you can see which suite will be used before the Security Gateway transmits the first packet of Main Mode:

[vpnd 6203 2012804800]@ FW1[17 May 9:46:49] get_strongest_method: chose encryption method 2

[vpnd 6203 2012804800]@ FW1[17 May 9:46:49] get_strongest_method: chose hash method 2

[vpnd 6203 2012804800]@ FW1[17 May 9:46:49] get_strongest_dh_group: chose DH Group 2

[vpnd 6203 2012804800]@ FW1[17 May 9:46:49] do_cklic_ex: Activated with feature: fw1:6.0:strong

 

Phase 2 IPsec SA:

The Phase 2 encryption suites are defined in the Encrypt rule properties:

In the Encrypt properties, the encryption suite definition also allows you to select on which VPN peer the suite will be used.

In addition, advanced settings can be configured, such as Perfect Forward Secrecy (when PFS is enabled, a fresh DH key is generated during IKE phase II, and renewed for each key exchange) and IP Pool NAT.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment