Site to Site VPN is negotiated per each pair of hosts instead of per subnet pair

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk39679
Technical Level
Product	IPSec VPN
Version	R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
OS	Gaia
Platform / Model	All
Date Created	14-Apr-2009
Last Modified	05-Feb-2023

Symptoms

When trying to establish VPN tunnel between Check Point Security Gateway and 3rd party and the tunnel is initiated from behind Check Point, SA negotiation fails with error "notification from peer. invalid id".
When running IKE debug (sk180488), it is displayed that a source subnet and a destination host are sent, when tunnel is set to 'per subnet pair' even though subnets are defined correctly for both sides.

Cause

The VPN domain behind Check Point firewall has been configured using the Group with Exclusion object. Group with exclusions is not supported as encryption domain when using tunnel configuration "per subnet pair" or "per host pair".
When using the mentioned tunnel management options - the subnet must be accurate during Quick Mode negotiation otherwise the negotiation will fail. When using group with exclusions there is no option to control the subnet negotiated in Quick Mode.

Solution

Note: To view this solution you need to Sign In .