VPN Security Risk - Subnet Key Exchange

I assume your refering to the subnet range being shared, this is normal and doesn' t involve a security risk. If they are ' scared' to share the subnet the can redefine their VPN policies and change the subnet to be shared so that it only encompasses the servers that need to be accesses.

This is all I thought they would do. But they are on about Subnet Key Exchange during the phase 2 IKE process. On there Checkpoint box they untick the Support Key Exchange on Subnets and of course we can' t connect using our Fortigate as they only do Subnet Key Exchange not Host. Does anyone else know more about this? Thanks in advance, Dan

The problem is, that most VPN devices (Cisco, FGT) do not support key exchange for subnets. This is not a security issue, but a configuration issue. Although I agree that you want an SA for each and every connection, it does cost you resources - this imho is the main reason Check Point uses Key Exchange for Subnets. The " security risk" is that the same SA (key set) is used for more than one connection (it is used for a complete subnet) but for most companies this is an acceptable risk. I' d just leave it the way it is now - if it works, you' re fine.

You' re right - sorry for the mixup :)

This issue has been recently identified as BUG# 26595 and will be implemented in the next maintenance release which is expected end of May. However if people are having the same problem you will need to get interim build 420 from support which has the fix in it. Dan

I think I created this bug recognition. Had the same problem with a 400A and a 3rd party Checkpoint VPN endpoint. Kept pestering Fortinet referring to the RFCs as well as the results from their ICSA labs test on the FG60 and eventually they gave in and promised a fix. MR10 is projected for the end of May but as Dan has mentioned the interim build with the fix is available now with the appropriate support contract.