Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Re: Site to Site VPN between Checkpoint and Palo Alto Firewalls

They have Cisco and Fortinet firewall setup with this configuration but they don't have any Checkpoint where we can refer the setup. 

0 Kudos
Highlighted
Admin
Admin

Re: Site to Site VPN between Checkpoint and Palo Alto Firewalls

Highlighted
Nickel

Re: Site to Site VPN between Checkpoint and Palo Alto Firewalls

Finally the issue got resolved. We added the encryption domain to Checkpoint Gateway and NATed the Public IP(or NAT IP) customer provided. 

(For information purpose):  we used a Mesh community for the configuration.

Thank you so much guys ! Really appreciate your help and support.

Highlighted
Admin
Admin

Re: Site to Site VPN between Checkpoint and Palo Alto Firewalls

No problem, I am glad the issue is resolved

0 Kudos
Highlighted

Re: Site to Site VPN between Checkpoint and Palo Alto Firewalls

Hi Tim/Valeri,

 

I have same problem. Establishing tunnel between Checkpoint FW & Palo Alto (It is in Azure). Tunnel is UP at both end but traffic is not passing. We Can see traffic is encrypting in tunnel but not reaching at peer end. I have done all scenarios which are suggested in this thread.

Checkpoint side : Domain Based VPN 

Palo Alto side : Route Based VPN

 

In checkpoint side, Toggled between subnet pair & gateway pair in tunnel management. 

In Palo Alto side, Given specific proxy IDs

But still traffic is not passing even though tunnel is UP. 

0 Kudos
Highlighted

Re: Site to Site VPN between Checkpoint and Palo Alto Firewalls

Please provide the Key Exchange logs indicating that IKE Phase 1 has completed (Main Mode) and the log indicating that IKE Phase 2 has completed (Quick Mode).  My guess is you won't find the latter one as only the Phase 1 tunnel is up, which is why traffic is not passing.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Nickel

Re: Site to Site VPN between Checkpoint and Palo Alto Firewalls

I am attempting a site to site VPN with a Palo Alto and Check Point R80.10 in a lab before trying in production and I am still stuck on trying to get phase 2 to negotiate.

On the Check Point I am using a start VPN topology, "One VPN tunnel per subnet pair", and the encryption domain contains the one and only network behind the Check Point - 10.10.10.0 / 24.

On the Palo Alto side I have a static route configured to 10.10.10.0/24 with the router interface being the VPN tunnel.  I have tried with a proxy id of local 10.30.30.0 /24 (behind palo alto) remote 10.10.10.0 /24, and without any proxy ID.  I tried to configure a proxy id of 0.0.0.0/0 0.0.0.0/0 with a protocol of 0 (Palo Alto won't accept this config) as well as "any".  

On the Check Point side I get "IKE failure" , "Encryption Failure: no response from peer.", and on the Palo Alto 

2020-01-22 15:18:17.480 -0500 [PNTF]: { 2: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 172.16.1.30[500]-172.16.1.10[500] message id:0xBEC56C26 <====
2020-01-22 15:18:17.480 -0500 [ERR ]: { 2: }: can't find matching selector
2020-01-22 15:18:17.480 -0500 [PERR]: { 2: }: failed to get sainfo.
2020-01-22 15:18:17.480 -0500 [ERR ]: failed to pre-process packet.

 

Any ideas?

0 Kudos