topic Re: VPN Configuration between Check Point and FortiGate in Firewall and Security Management

VPN Configuration between Check Point and FortiGate

arvindteemul1 — Tue, 29 Apr 2025 04:24:11 GMT

Hi Mates,

A VPN has been configured between a Check Point R81 and Fortinet version 7.6 firewalls. After the initial VPN configuration, traffic is successfully traversing the two firewalls. If there is no traffic continually traversing the VPN for more than an hour, then the VPN appears to be broken and does not allow any traffic outbound from Check Point, unless the VPN reconfiguration is carried out on the Check Point firewall, however inbound traffic to the Check Point firewall is working fine.

Any suggestions to fix this?

Re: VPN Configuration between Check Point and FortiGate

Gaurav_Pandya — Tue, 29 Apr 2025 10:55:25 GMT

Enable permanent tunnel option with specific community and test.

Re: VPN Configuration between Check Point and FortiGate

Don_Paterson — Tue, 29 Apr 2025 11:18:34 GMT

@arvindteemul1

The Permanent Tunnels feature will send a UPD 18234 packet (tunnel testing) which is proprietary, so the FN gateway will not understand it. It may work just because of the traffic flow in the tunnel.

What do the logs say?

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Tunnel-Management.htm?Highlight=Permanent

Re: VPN Configuration between Check Point and FortiGate

the_rock — Tue, 29 Apr 2025 12:00:17 GMT

Ah, fortiOS 7.6.x, lots of new features, but still feature release, so I would stick with 7.4, which is latest mature code : - )

Anywho...make sure on Fortigate, setting auto keep alive is enabled and on CP exactly what the guys mentioned.

Andy

Re: VPN Configuration between Check Point and FortiGate

Lesley — Tue, 29 Apr 2025 11:57:19 GMT

Sounds like VPN timers are not the same on both sides. Would check p1 and p2 on both side and make sure they match.

Are you sure you run R81? and not R81.10 or R81.20? If so upgrade due EOL status

Re: VPN Configuration between Check Point and FortiGate

Don_Paterson — Tue, 29 Apr 2025 12:03:36 GMT

https://support.checkpoint.com/results/sk/sk108600

Re: VPN Configuration between Check Point and FortiGate

the_rock — Tue, 29 Apr 2025 12:07:58 GMT

Always great sk to refer to, Don.

Re: VPN Configuration between Check Point and FortiGate

Duane_Toler — Tue, 29 Apr 2025 13:25:17 GMT

On hour is default phase2 re-key timer (as @Lesley noted. Be sure your implied rules enable VPN control connections and that you aren't trying to control IKE, IPsec, and (if applicable) NAT-T connections in your security policy.

Re: VPN Configuration between Check Point and FortiGate

arvindteemul1 — Tue, 29 Apr 2025 14:33:09 GMT

thanks to all for your input...awaiting access to the firewall to check on the suggested items...will keep you posted!

On another note, while I'm cross referencing another firewall, I came across a typo in the Implied Policy section of R81.20, see attached:

Re: VPN Configuration between Check Point and FortiGate

the_rock — Tue, 29 Apr 2025 14:35:59 GMT

Personally, I would never change those without checking with TAC first.

Andy

Re: VPN Configuration between Check Point and FortiGate

Duane_Toler — Tue, 29 Apr 2025 14:56:37 GMT

You have Remote Access control connections disabled. This needs to be enabled for all of IPsec to function. You also have Accept ICMP Requests enabled, which is not the default (and you almost certainly do not want this). Someone has modified these implied rules in the past. You should review the defaults again and re-align these.. Here's a screenshot from sk179346.

https://sc1.checkpoint.com/sc/SolutionsStatics/sk179346/implied%20rules202205261210461.png