Support Center > Search Results > SecureKnowledge Details
Site to Site VPN is negotiated per each pair of hosts instead of per subnet pair Technical Level
  • When trying to establish VPN tunnel between Check Point Security Gateway and 3rd party and the tunnel is initiated from behind Check Point, SA negotiation fails with error "notification from peer. invalid id".

  • When running IKE debug (sk180488), it is displayed that a source subnet and a destination host are sent, when tunnel is set to 'per subnet pair' even though subnets are defined correctly for both sides.


The VPN domain behind Check Point firewall has been configured using the Group with Exclusion object. Group with exclusions is not supported as encryption domain when using tunnel configuration "per subnet pair" or "per host pair".
When using the mentioned tunnel management options - the subnet must be accurate during Quick Mode negotiation otherwise the negotiation will fail. When using group with exclusions there is no option to control the subnet negotiated in Quick Mode.

Note: To view this solution you need to Sign In .