Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

VPN - Check Point and Fortigate

Jump to solution

Hi all,

#Site A Check Point R80 (At the moment I can't confirm if R80.10,20,30..)
#Site B Fortigate

Reports of the VPN keep showing loads of errors with " 'Quick Mode Received Notification from Peer: invalid spi "

It's not every time, so with it being intermittent I have ensured both Sites have the same Encryption settings, and the Phase 1 and Phase 2 timers are definitely set to the same time/interval.

What else could be checked? Or what else do you guys who may have seen this before think it could be?

I don't have much more information at the moment, but I would like to arm myself with some potential solutions or scenarios to troubleshoot.


Thanks

0 Kudos
1 Solution

Accepted Solutions
Highlighted
8 Replies
Highlighted
Highlighted
Nickel
Thanks - I'll get Solution #7 attempted 1st of all.
0 Kudos
Highlighted
Nickel

The suggestion most related to the error they're getting is to create a No-NAT rule. However in the VPN community in R80 you can opt to tick the option "Disable NAT within the VPN community" - Wouldn't this perform the same action?

Note: I've also suggested trying SHA256 instead of SHA1, and to not use PFS.


Thank you

0 Kudos
Highlighted

Hi @beneaton,

Use following settings:

Phase 1:
- Main Mode (not aggressive mode)
- AES-256 / SHA256
- Use max. DH group 5 (not higher)

Phase 2
- Do not use PFS
- AES256 / SHA256

This always works with CP R80.30 latest JHF and Fortigate 5.4, 5.6, 6.0, 6.2.

 

Tags (1)
Highlighted
Nickel
Hi Heiko,

Thanks for the reply.

PFS is set to Group 2 as well as the DH group in Phase 1. I'll ask them to test without PFS set (removed from both Sides).

Thanks again,
Ben
0 Kudos
Highlighted
Employee+
Employee+

I remember handling a similar case in which this error came up and it turned out that the somehow the database contained 2 objects with the same IP. (VPN peer IP)

I know this is somewhat strange however worth checking..

 

HTH

Uri

0 Kudos
Highlighted

Hi,

CP receives that message from the FG?
Then you could do on the FG

diagnose debug reset
diagnose vpn ike log filter dst-addr4 <ext. IP of CP gw> diagnose debug app ike -1
diagnose debug console timestamp enable
diagnose debug enable

after testing, disable and reset debugs

diagnose debug reset
diagnose debug disable

Cheers
Vincent

and now to something completely different
0 Kudos
Highlighted

Assuming you've already verified the SA Lifetimes, ensure that the Fortigate is not using a data lifesize or tunnel idle timer.  It sounds like the Fortigate is expiring the tunnel early for some reason.  Also make sure DPD is disabled on the Fortigate unless you have explicitly enabled it on the Check Point side.

Also be aware that during Quick Mode Phase 2 negotiations the Fortigate is just like Juniper in that it is very picky about subnets/Proxy-IDs it will accept.  The proposal must exactly match the subnets/Proxy-IDs configured on the Fortigate, unlike Cisco and Check Point it will refuse a proposal that is a subset of what is configured.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos