Issue

Check Point have now replaced the “Support Key Exchange for subnets” with “VPN Tunnel Sharing” for Traditional mode VPN`s.

The problem this causes is when you upgrade to R65 is that the “Support Key Exchange for subnets”  setting isn’t transferred. With all Traditional VPN`s being set to "One VPN tunnel per subnet

pair" as default.

You may experience the following error if “One VPN Tunnel per each pair of hosts” is not ticked, but required,

                 IKE: Quick Mode Received Notification from Peer: no proposal chosen

Solution

To prevent any issues prior to upgrade note whether the “Support Key Exchange for subnets” is enabled on the interoperable device. Once you have upgraded the Check Point package you can make the following change in R65 with reference to the previous setting that was noted before the upgrade.

R55 - Support key exchange for subnets  = Ticked      ---> R65 – "VPN Tunnel Sharing | Custom Settings | One VPN Tunnel per subnet pair" = Ticked
R55 - Support key exchange for subnets  = Unticked   --->  R65 – "VPN Tunnel Sharing | Custom Settings | One VPN Tunnel per each pair of hosts" = Ticked