Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

Hi!,

 

I have a problem creating a VPN between checkpoint and fortinet. The VPN is up but I only have traffic (for example ping) in the direction of Fortinet towards checkpoint.

The rules is well created as other community VPNs that work fine.
Do you know if there is any special configuration so that there is traffic on the VPN in the direction Checkpoint-> Fortinet?

The community VPN configuration of the checkpoint is the same as that installed with other FWs such as Dlinks firewalls and Dlink works fine.

My checkpoint model is 5600 Appliance, running 80.10 Gaia SO.

My configuration:

-Destination firewallL: IP public

-Ike v1

-main mode

-encryption AES.

-VPN tunnel per subnet

- local and remote network are /24 mask

 

Regards.

0 Kudos
8 Replies
Highlighted
Admin
Admin

Look for drop logs. If nothing, fw ctl zdebug drop. 

Also, check routes. Fortinet VPN domain should be routed to the external interface of your CP FW.

0 Kudos
Highlighted
Ivory

 

Fortinet VPN domain should be routed to the external interface of your CP FW. -> This is done moreover, I configure IPSEC vpn between two fortis with the policies and routes and it works well. (attach photo).

 

fw ctl zdebug drop -> I will try this command but in the tracert window Gaia I get the packets with encrypted VPN accepted. Should I run that command out of production?I have read that it could lower the performance of the Fw.

Thanks and Regards!

 

 

0 Kudos
Highlighted
Admin
Admin

You keep sending me pictures from Forti. There is no point.

If I understand you correctly, with the tunnel up, you can reach CP VPN domain from Forti side, but the opposite does not work. Is it correct?

If yes, check what happens with the traffic on Check Point side. Is it sent to the tunnel? Is it dropped? Is it routed somewhere else, clear text? Depending on the answer, we can point a finger to the issue and fix 

0 Kudos
Highlighted
Ivory

CP VPN domain is up also but I cant ping to fortinet subnet.

Ok I going to run fw ctl zdebug tool.
0 Kudos
Highlighted
Admin
Admin

On CP, do you have FW rules allowing connectivity to the remote VPN site?

0 Kudos
Highlighted
Ivory

Yes, I have the rules allowing connectivity to Fortinet.
0 Kudos
Highlighted

The Fortinet can successfully initiate to the Check Point because when the Check Point is the responder it is not picky about getting an exact match for the IKE Phase 2 subnets/Proxy-IDs proposed by the Fortinet, as long as the proposed subnets fall completely within the defined VPN domains for both peers the Check Point will accept it.

However when the Check Point is the initiator, as the responder the Fortinet is VERY PICKY and its subnets configuration must exactly match what is being proposed by the Check Point or it will fail.  Everything including subnet mask length must match exactly.  See my response in this thread for how to force the Check Point to propose exactly what the Fortinet wants so it will match exactly:

https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-fortigate-v5-6-and-CheckPoint-R...

Alternatively, if you are using R80.40+ on both management and gateway, there is a new capability to create user-defined VPN domains for both participating gateways on a per-community basis that will give you the granularity needed to match what the Fortinet is expecting in the Phase 2 proposal from the Check Point.  You will also experience this same "picky" behavior with Juniper and Sonicwall among others.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Ivory

The remote subnet (192.168.0.X/24) and the local subnet (10.190.0.X/24) are correctly configured with mask / 24 both. I will try to do the configuration proposed in Scenario 1 of sk108600 and see if it works. My version is R80.10.
Thanks!
0 Kudos