The fixes are version dependent and.lengthy. One reason is that Check Point Security Gateway dynamically supernets subnets to reduce the amount of SA overhead. When negotiating a VPN tunnel between Check Point Security Gateway and certain 3rd-party devices, IKE Quick Mode may fail, if the subnets are defined differently on each end of the VPN tunnel. The IP addresses can be a set of discrete IP addresses, or a subnet. During IKE Quick Mode negotiation, the IP addresses, which define the VPN tunnel (also known as IPSec IDs, or traffic selectors) are negotiated.VPN tunnel can be initiated from 3rd party side to the Check Point Security Gateway side, but not from Check Point side to 3rd party side.Remote Access Client cannot access internal resources over the Site-to-Site tunnel with 3rd party VPN peer.If the events in the security event log are generated with a NAT IP address, they will be ignored automatically. Make sure that users do not go through a NAT (with Check Point NAT) to the firewall. You can configure this in SmartDashboard. " logs in SmartView Tracker when creating IPsec VPN tunnel with an interoperable device. Make sure that users / IP addresses are not ignored. " log in SmartView Tracker when the Security Gateway initiates a Quick Mode. This is the usual scenario: Scenario 1 - Wrong IPsec IDs are negotiated during IKE Quick Mode Symptoms: VPN with CheckPoint is my least favorite thing.ĬP Admin needs to go through the steps here: Hardware used is a Juniper SRX1500 on my side. Checkpoint side has to initiate the tunnel - I believe initiation from the Juniper side works. No change in VPN configuration on my side. I also had this working with "version v2-only" for two weeks with zero issues and then it suddenly stopped working again. The exact same VPN configuration works fine if we both choose "version v1-only" rather than "version v2-only" for IKE. The Checkpoint administrator says that their encryption domain has the "any" parameter for services. Juniper traffic selectors don't seem to be able to be created with services. The checkpoint side seems to be sending services as part of their encryption domain. IKE and IPSec errors are: "Peer proposed unsupported multiple traffic-selector attributes for a single IPSec SA". The Juniper logs are showing traffic-selector mismatch issues and both IPSec AND IKE negotiation fails. There is a workaround: using a transparent proxy, but this usage can hardly pass through firewalls or other reverse-proxies : the default gateway of the server must be the reverse-proxy. I'm getting encryption domain issues with an IKEv2 VPN with a Checkpoint peer. The main drawback when using a reverse-proxy is that it will hide the user IP: when acting on behalf of the user, it will use its own IP address to get connected on the server.