The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Security Gateway accepts another Diffie-Hellman group then what is configured
Technical Level
Solution ID
sk122438
Technical Level
Product
IPSec VPN
Version
R77.30 (EOL), R80.10 (EOL), R80.20, R80.30
Date Created
18-Jan-2018
Last Modified
27-Aug-2020
Symptoms
When the VPN peer is initiating IKE negotiation with Security Gateway, and is sending another Diffie-Hellman group then what is configured in the VPN community, the Security Gateway accepts it, and later the VPN traffic is dropped.
Packets are dropped on proposal unmatched, although the VPN tunnel is established.
Cause
Configuration mismatch - Perfect Forward Secrecy was configured on the Security Gateway, but not on the VPN peer.