topic Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall in Firewall and Security Management

Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

kennyt — Tue, 10 May 2022 03:59:39 GMT

HI there,

newbie here, trying to establish a IPSEC VPN to 3rd party Fortigate FW.

below are the logs from Fortigate as i cant find anything much from CP debug IKE.ELG log.

Phase 1 passes except Phase 2(refer to pic or below).

peer proposal is : peer:0:192.168.1.251-192.168.1.251:0, me:0:192.168.200.0-192.168.200.255:0

is the ip in red should be my lan 192.168.220.254 address to correct the issue?

tried many settings but still get there error. where should i config to get the correct peer proposal?

My info:

External: 192.168.1.251, LAN: 192.168.220.254

Peer info:

External: 192.168.0.253, LAN: 192.168.200.1

Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

Ruan_Kotze — Tue, 10 May 2022 09:46:23 GMT

Looks like the encryption domain on your gateway is blank (are you using route-based VPN's?) or is not matching what the FG expects.

One option might be to use the Encryption Domain per Community functionality, and make your encryption domain for this community contain something like 192.168.220.0/24 (assuming that's what you have configured on the FG side) and then see what the FG debugs say. Also try disabling NAT inside the community.

Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

G_W_Albrecht — Tue, 10 May 2022 07:33:42 GMT

See sk108600: VPN Site-to-Site with 3rd party for basic issues in CP to 3rd party VPN. I would suggest capturing the traffic and analyze using wireshark - see sk34467: Debugging Site-to-Site VPN.

Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

G_W_Albrecht — Tue, 10 May 2022 08:51:11 GMT

192.168.200.220.254 ???

Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

kennyt — Tue, 10 May 2022 09:18:08 GMT

HI,

I'm actually refer to sk108600 to setup these connection

Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

Ruan_Kotze — Tue, 10 May 2022 09:28:50 GMT

Good catch, corrected. OP's LAN IP.

Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

G_W_Albrecht — Tue, 10 May 2022 10:30:19 GMT

You should rather refer to Site to Site VPN R81.10 Administration Guide p.41: VPN with Interoperable Device for configuration, sk108600 is for troubleshooting / debugging.

Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

kennyt — Tue, 10 May 2022 14:36:57 GMT

Hi,

i'm using domain-based VPN

Re: Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

kennyt — Tue, 10 May 2022 14:37:41 GMT

Hi,

Will lookup to it.

Thanks