Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fcecilia
Explorer

IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

Hi!,

 

I have a problem creating a VPN between checkpoint and fortinet. The VPN is up but I only have traffic (for example ping) in the direction of Fortinet towards checkpoint.

The rules is well created as other community VPNs that work fine.
Do you know if there is any special configuration so that there is traffic on the VPN in the direction Checkpoint-> Fortinet?

The community VPN configuration of the checkpoint is the same as that installed with other FWs such as Dlinks firewalls and Dlink works fine.

My checkpoint model is 5600 Appliance, running 80.10 Gaia SO.

My configuration:

-Destination firewallL: IP public

-Ike v1

-main mode

-encryption AES.

-VPN tunnel per subnet

- local and remote network are /24 mask

 

Regards.

0 Kudos
9 Replies
_Val_
Admin
Admin

Look for drop logs. If nothing, fw ctl zdebug drop. 

Also, check routes. Fortinet VPN domain should be routed to the external interface of your CP FW.

0 Kudos
fcecilia
Explorer

 

Fortinet VPN domain should be routed to the external interface of your CP FW. -> This is done moreover, I configure IPSEC vpn between two fortis with the policies and routes and it works well. (attach photo).

 

fw ctl zdebug drop -> I will try this command but in the tracert window Gaia I get the packets with encrypted VPN accepted. Should I run that command out of production?I have read that it could lower the performance of the Fw.

Thanks and Regards!

 

 

0 Kudos
_Val_
Admin
Admin

You keep sending me pictures from Forti. There is no point.

If I understand you correctly, with the tunnel up, you can reach CP VPN domain from Forti side, but the opposite does not work. Is it correct?

If yes, check what happens with the traffic on Check Point side. Is it sent to the tunnel? Is it dropped? Is it routed somewhere else, clear text? Depending on the answer, we can point a finger to the issue and fix 

0 Kudos
fcecilia
Explorer

CP VPN domain is up also but I cant ping to fortinet subnet.

Ok I going to run fw ctl zdebug tool.
0 Kudos
_Val_
Admin
Admin

On CP, do you have FW rules allowing connectivity to the remote VPN site?

0 Kudos
fcecilia
Explorer

Yes, I have the rules allowing connectivity to Fortinet.
0 Kudos
oscars
Explorer

Hi, I have a similar problem with a fortinet. Attach you an image. The VPN issue is about IKE when I need connect the checkpoint to Fortinet. I followed all instructions from How to set up a Site-to-Site VPN with a 3rd-party remote gateway. Can you help me?

0 Kudos
Timothy_Hall
Champion
Champion

The Fortinet can successfully initiate to the Check Point because when the Check Point is the responder it is not picky about getting an exact match for the IKE Phase 2 subnets/Proxy-IDs proposed by the Fortinet, as long as the proposed subnets fall completely within the defined VPN domains for both peers the Check Point will accept it.

However when the Check Point is the initiator, as the responder the Fortinet is VERY PICKY and its subnets configuration must exactly match what is being proposed by the Check Point or it will fail.  Everything including subnet mask length must match exactly.  See my response in this thread for how to force the Check Point to propose exactly what the Fortinet wants so it will match exactly:

https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-fortigate-v5-6-and-CheckPoint-R...

Alternatively, if you are using R80.40+ on both management and gateway, there is a new capability to create user-defined VPN domains for both participating gateways on a per-community basis that will give you the granularity needed to match what the Fortinet is expecting in the Phase 2 proposal from the Check Point.  You will also experience this same "picky" behavior with Juniper and Sonicwall among others.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
fcecilia
Explorer

The remote subnet (192.168.0.X/24) and the local subnet (10.190.0.X/24) are correctly configured with mask / 24 both. I will try to do the configuration proposed in Scenario 1 of sk108600 and see if it works. My version is R80.10.
Thanks!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events