topic Re: IP SEC VPN - Problem with tunnel IP in Firewall and Security Management

IP SEC VPN - Problem with tunnel IP

Mando_92 — Thu, 28 Jul 2022 10:34:30 GMT

I have an ipsec vpn between a Fortinet firewall (Fortigate 100D version 6.2.10) and a Check Point firewall (version R81.10)
The problem I am having is the following:

In phase 2 the firewalls negotiate subnets 172.17.1.0/24 (Check Point side) and 172.17.2.0/24 (Fortigate side). Phase 2 goes up correctly and when calls are made from the Fortigate the connection is successful.

On the other hand, when the connection is initialized by Check Point even though tunnel 172.17.1.0/24 172.17.2.0/24 has been negotiated, Check Point tries to negotiate a new tunnel with the specific IP of the client that is trying the connection. The tunnel is rejected by Fortigate as it is not the one agreed upon and from the logs I receive the no response from peer error.

Is there a setting on the Check Point to eliminate this problem ?

Thanks

Re: IP SEC VPN - Problem with tunnel IP

G_W_Albrecht — Thu, 28 Jul 2022 10:52:01 GMT

Looks similar to sk165003: When Security Gateway initiates VPN tunnel with 3rd Party peer using IKEv2, VPN tunnel is forced to NAT-T and traffic fails But this has been fixed in R81. So i would suggest to look at Scenario 3 in sk108600: VPN Site-to-Site with 3rd party.

Re: IP SEC VPN - Problem with tunnel IP

Mando_92 — Thu, 28 Jul 2022 14:30:24 GMT

Thanks for response!

But the sk165003 and sk108600 indicate by you is NOT the problem encountered (NAT traversal) or Scenario 3 of second sk.

Although a tunnel for the entire subnet has been negotiated /24 Check Point tries to set up a new tunnel for specific ip belonging to that subnet.

What configuration parameters can I affect this thing ?

Thanks

*****************************************************
*****************************************************

I solved the problem by adding on the Fortigate (encryption domain) side the specific ip of the Check Point subnet that establish the connections