topic Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction. in Firewall and Security Management

IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

fcecilia — Tue, 24 Mar 2020 08:28:18 GMT

Hi!,

I have a problem creating a VPN between checkpoint and fortinet. The VPN is up but I only have traffic (for example ping) in the direction of Fortinet towards checkpoint.

The rules is well created as other community VPNs that work fine.
Do you know if there is any special configuration so that there is traffic on the VPN in the direction Checkpoint-> Fortinet?

The community VPN configuration of the checkpoint is the same as that installed with other FWs such as Dlinks firewalls and Dlink works fine.

My checkpoint model is 5600 Appliance, running 80.10 Gaia SO.

My configuration:

-Destination firewallL: IP public

-Ike v1

-main mode

-encryption AES.

-VPN tunnel per subnet

- local and remote network are /24 mask

Regards.

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

_Val_ — Tue, 24 Mar 2020 10:57:22 GMT

Look for drop logs. If nothing, fw ctl zdebug drop.

Also, check routes. Fortinet VPN domain should be routed to the external interface of your CP FW.

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

fcecilia — Tue, 24 Mar 2020 11:18:07 GMT

Fortinet VPN domain should be routed to the external interface of your CP FW. -> This is done moreover, I configure IPSEC vpn between two fortis with the policies and routes and it works well. (attach photo).

fw ctl zdebug drop -> I will try this command but in the tracert window Gaia I get the packets with encrypted VPN accepted. Should I run that command out of production?I have read that it could lower the performance of the Fw.

Thanks and Regards!

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

_Val_ — Tue, 24 Mar 2020 11:41:02 GMT

You keep sending me pictures from Forti. There is no point.

If I understand you correctly, with the tunnel up, you can reach CP VPN domain from Forti side, but the opposite does not work. Is it correct?

If yes, check what happens with the traffic on Check Point side. Is it sent to the tunnel? Is it dropped? Is it routed somewhere else, clear text? Depending on the answer, we can point a finger to the issue and fix

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

fcecilia — Tue, 24 Mar 2020 12:11:19 GMT

CP VPN domain is up also but I cant ping to fortinet subnet.

Ok I going to run fw ctl zdebug tool.

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

_Val_ — Tue, 24 Mar 2020 12:48:31 GMT

On CP, do you have FW rules allowing connectivity to the remote VPN site?

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

Timothy_Hall — Tue, 24 Mar 2020 15:34:41 GMT

The Fortinet can successfully initiate to the Check Point because when the Check Point is the responder it is not picky about getting an exact match for the IKE Phase 2 subnets/Proxy-IDs proposed by the Fortinet, as long as the proposed subnets fall completely within the defined VPN domains for both peers the Check Point will accept it.

However when the Check Point is the initiator, as the responder the Fortinet is VERY PICKY and its subnets configuration must exactly match what is being proposed by the Check Point or it will fail. Everything including subnet mask length must match exactly. See my response in this thread for how to force the Check Point to propose exactly what the Fortinet wants so it will match exactly:

https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-fortigate-v5-6-and-CheckPoint-R80-10/m-p/10062

Alternatively, if you are using R80.40+ on both management and gateway, there is a new capability to create user-defined VPN domains for both participating gateways on a per-community basis that will give you the granularity needed to match what the Fortinet is expecting in the Phase 2 proposal from the Check Point. You will also experience this same "picky" behavior with Juniper and Sonicwall among others.

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

fcecilia — Wed, 25 Mar 2020 09:29:45 GMT

The remote subnet (192.168.0.X/24) and the local subnet (10.190.0.X/24) are correctly configured with mask / 24 both. I will try to do the configuration proposed in Scenario 1 of sk108600 and see if it works. My version is R80.10.
Thanks!

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

fcecilia — Wed, 25 Mar 2020 09:30:41 GMT

Yes, I have the rules allowing connectivity to Fortinet.

Re: IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

oscars — Mon, 08 Nov 2021 22:50:02 GMT

Hi, I have a similar problem with a fortinet. Attach you an image. The VPN issue is about IKE when I need connect the checkpoint to Fortinet. I followed all instructions from How to set up a Site-to-Site VPN with a 3rd-party remote gateway. Can you help me?