Establish subnets and security check points. No subnet support in ike negotiations. Establish subnets and security checkpoints.
We did have an issue with a VPN Connection to our main office, the symptoms however were somehow inconclusive (at least for me… 
)
Setup: Checkpoint R70.x on our office, Some Cisco ASA at the main office.
- Perfectly able to connect to all hosts from our office to the main office
- Some hosts able to connect from the main office to our office
After some digging, I noticed some IKE messages in SmartView Tracker:
IKE: quick mode Sent Notification: no subnet support in ike negotiations
This was backed by IKE messages in ike.elg (vpn debug on, vpn debug ikeon) and seeing that quick Mode failed, and ID type was ID_IPV4_ADDR_SUBNET, which clearly indicates that the remote firewall is trying to establish an IKE SA for the whole Subnet.
OK, message seems to be straight forward, but why are some hosts able to connect, and some are not?I would expect that no host from the main office would be able to establish a connection, or that all hosts where a SA already exists would be able to communicate back…
Anyways, here the Solution:After changing the VPN Tunnel Sharing settings from “One VPN tunnel per each pair of hosts” to “One VPN tunnel per subnet pair” (in the Interoperable Device in the Checkpoint firewall), and adjusting the “max_subnet_for_range” in user.def_FLO, we were able to get the tunnel working to it’s full extent.
See sk40886 and sk17544 for more details about max_subnet_for_range
Share:
Checkpoint & No subnet support in ike negotiations