Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Question in Site 2 Site VPN with Fortigate

Hello ~



I just build up a VPN between Fortigate and CheckPoint.

 

I can ping from the Fortigate client side.

 

But When ping from Checkpoint client side, I find below error log:

 

WhatsApp Image 2020-04-29 at 6.17.25 PM.jpeg

 

Might I have some tips on it?

0 Kudos
3 Replies
Highlighted

The Fortigate will silently drop your Phase 2 proposal if the Proxy-IDs (subnets) proposed by the Check Point do not exactly match the configuration on the Fortigate.  When the Fortigate initiates, its Phase 2 proposal will be accepted by the Check Point even if it doesn't match the VPN domain subnets exactly.  See scenario 1 of this SK for the solution: sk108600: VPN Site-to-Site with 3rd party

In R80.40+ you can customize the VPN domains per VPN Community in the SmartConsole to send the exact Phase 2 Proxy-IDs the Fortigate is expecting, without having to hack the user.def file as described above.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Nickel

Thanks!

Might I know If can I keep Fortigate using 0.0.0.0/0.0.0.0 for Phrase 2 but use Static Route on CP to let traffic pass through my expected route to a VPN tunnel?
0 Kudos
Highlighted

If the Fortigate is proposing a universal tunnel (0.0.0.0/0's) it may be using a route-based VPN.  Setting VPN Tunnel Sharing to "one tunnel per gateway pair" on the Check Point should get things working as far as the Phase 2 negotiation.  Are you using VPN domains or routes on the Check Point side to determine which traffic needs to enter the VPN tunnel? (i.e. "interesting" traffic)

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos