Checkpoint R80.40 VPN

Dryad

This post documents connecting a Checkpoint firewall to PFSence Virtual. I do not have the version details for the remote PFSense system, but hopefully this post will help others who have issues.

The first thing we identified was that pfsense does not support Encryption domain supernetting which has been default on Checkpoint since R77.20. This feature was global on R77.20, R77.30 and R80.10 but on R80.20 and above you can disable it on an individual community. We identified this when comparing the VPN domains on both sides of the VPN and cross-referencing them with connectivity information. Checkpoint will supernet two subnets that are aligned and offer /21 masks for two aligned /22 subnets which will not match the pfsence domain list. After disabling this feature on Checkpoint we managed to get the VPN stable.

Other things that we identifed were:
IKEV2 did not work properly. Most of the time we received one-way tunnels, but returning to IKEV1 worked fine.

Perfect Forward Secrecy with Group 2 (1024 bit) or Group 14 (2048 bit) made the VPN unstable, especially when we tried a failover and it would not reconnect properly each time.

The VPN was finally establised using IKEV1, Phase1:AES256/SHA384/DH14, Phase2:AES256/SHA384, no PFS and one tunnel per subnet pair.

Hope this helps someone else; it took us several hours to figure out what features and encryption parameters worked together in a stable way.

Dryad...