Support Center > Search Results > SecureKnowledge Details
VPN tunnels with 3rd party peers fail because of mismatched IDs Technical Level
Symptoms
  • VPN tunnels with 3rd party peers fails because of mismatched IDs.
  • user.def granular encryption ranges tables: subnet_for_range_and_peer and max_subnet_for_range, are not affecting encryption IDs in R80.20, once ike_enable_supernet is set to "false". This causes VPN tunnels with 3rd party peers to fail because of mismatched IDs.
Cause

Enabling the R80.20 "disable supernetting per community" feature causes this issue.


Solution

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Cluster / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

 

For R80.20, before Jumbo Hotfix Accumulator for R80.20 Take_43, disabling the R80.20 "disable supernetting per community" feature will resolve this issue.

Note: This new feature will still work once ike_enable_supernet is set to "true". 

  1. Access the relevant gateway.
  2. Run fw ctl set int enable_supernet_per_community 0

    Note: It can take some time until user.def tables start to take effect, as current connections can still invoke tunnels using the old ranges.

  3. In order to save this change after reboot of the gateway, set this configuration variable: "enable_supernet_per_community=0" in the $FWDIR/boot/modules/fwkern.conf file of the gateway.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment