Hello there.
I encountered the following issue. Our office host a VPN server (L2TP\IPsec) on the Checkpoint firewall, don't know the exact model. Windows, iOS, and Android devices connect to it perfectly well. But I can't make hAP ac2 (RouterOS 7.2.3) establish a connection to it, though I have another L2tp\IPsec server that I had no issue with.
Log show the following message:
"notification message 17:INVALID-KEY-INFORMATION, doi=1 proto_id=3 spi=08511a9b‡j.¾í{÷Xä¦8X"
The network administrator provided me with the Checkpoint error for my connection:
"IKE failure: Quick Mode New DH Key received during Quick Mode from a peer, but Perfect Forward Secrecy is not set in the community."
Google brought me to several pages including the Checkpoint site that claims that problem in PFS (Perfect Forward Security) during phase 2 of IKE with a recommendation to turn on PFS on the Checkpoint side. I think this is not an option as it is not recommended by the Checkpoint manual, all other clients work well with the current configuration and such changes could harm them.
Another option is to disable PFS on the hAp side but this does not help. I changed the IPsec proposal PFS Group from default modp1024 to none and get another error:
"notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0c6f7361D"
I also tried all other PFS Groups with no success.
Any ideas on how to make it work?
Thank you!
Links:
https://forums.clavister.com/viewtopic.php?t=3699
https://old.ispforum.cz/viewtopic.php?t=23821
https://sc1.checkpoint.com/documents/R8 ... nd-IKE.htm