Wednesday, May 13, 2015

Check Point And Cisco: (IPSEC VPN) Phase 2 Security Association Incompatibilities

So what is it, when you have a site to site vpn between a Check Point and Cisco firewall, its sometimes near impossible to get phase 2 combinations of encryption and hash higher than 3DES/MD5 to work out.  I have seen this often in the past.  I go with AES-256 and SHA1.  But for some reason, I get very unpredictable results.  That might mean I can ping across one minute, but the next I cant.  It has also meant that I can one way traffic.  The thing is, that when I change to 3DES/MD5, the vpn works perfectly and consistently.  So why is that?
I dont know the answer right now, but Ill certainly be looking into it.  I dont want to use 3DES/MD5.  I prefer to go higher.


  1. I've seen this too when running a tunnel between different brands of equipment...very irritating.

    1. Irritating is the nice work for it.


Your comment will be reviewed for approval. Thank you for submitting your comments.