This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Justin_Hickey
Collaborator
‎2018-07-27 08:07 AM

Checkpoint to Fortinet VPN

Kind of in a jam and need to get a tunnel up and running in short order. To make it worse its a non Checkpoint firewall with a dynamic outside interface. Now in the Juniper SRX world we accomplished this using aggressive mode. 

One side is a large Checkpoint cluster running R80.10 . Obviously the outside interface has a static ip. 

On the other side is a small Fortinet 60E-POE that will be in someones house. The WAN interface plugs into a Frontier DSL Modem ( ARRIS ) . The WAN interface will get a 192.168 address and be NAT'ed when it goes to the Internet. 

I need a route based VPN setup between these two. Anyone do anything similar ? Have any guidance? Thanks.

7 Replies
Vladimir
Champion
Champion
‎2018-07-27 08:37 AM

I believe it'll require a certificate-based setup between peers:

https://community.checkpoint.com/message/9389-re-site-to-site-vpn-with-3rd-party-daip-gateway?commen... 

Justin_Hickey
Collaborator
‎2018-08-01 10:55 AM

I was able to get the tunnel up . Had to create a certificate in the Checkpoint PKI export it and import it into Fortinet device. Also had to run the below solution to change what the CP presents when as the peer id when it connections.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

(PS I didn't have to reboot as it says, just had to run the below)

Command will be “source $CPDIR/tmp/.CPprofile.sh”


I had to import the Checkpoint CA Cert into the Fortinet and add the Subject as CN = MyFirewallCertificate Name

Anyway, not P1 and P2 is up but I'm having a routing issue. I have a route that points the 192.168.0.0/16 network inside but the external VPN network is 192.168.51.0/24 . Since this is a more specific route it should take precedence but traffic is ping-ponging. Hitting the firewall and then being sent back in. I didn't create a specific static route as I assumed the connected VPN would create a dynamic one.

Any pointers on how to troubleshoot ?

 

0 Kudos
Vladimir
Champion
Champion
‎2018-08-01 11:09 AM
In response to Justin_Hickey

I believe that even if /24 is a more specific route, it is not necessarily a preferred one over "Connected" route.

Try modifying the topology of your gateway by creating a Network Group with Exclusions, (create two simple groups in advance, one containing 192.168.0.0/16 network and the other one containing 192.168.51.0/24):

 

  

And see if this'll do the trick. 

Justin_Hickey
Collaborator
‎2018-08-07 04:38 AM
In response to Vladimir

Thank you very much, that actually worked in resolving the routing issue. The tunnel was actually up for a while and traffic was working in one direction. I believe it was probably some policy problem that wasn't getting it to work in the other direction. Now for some reason I don't understand the tunnel is failing to authenticate again. It's during the certificate authentication phase on the Fortinet side.

Validating X.509 certificate
peer cert, subject='CP-PROD VPN Certificate', issuer='-G-V'
peer ID does not match cert

certificate validation failed

We did the steps where you edit the .CPProfile.sh and instruct the firewall to send the FQDN as the peer id. Not sure if that helped or not.

Any other assistance is greatly appreciated. Thanks.

0 Kudos
adnan063
Explorer
‎2019-06-02 04:05 PM

Hi Copper,

Can you guide me how did you configured the VPN between SRX and checkpoint? Our SRX routers we did configured aggressive mode with preshared keys but not sure which object in Checkpoint will go with this. We have tried interoperable device but if we select dynamic address it only accepts certificate based vpn. We are kinda stuck in this stage..

Thanks..

Adnan

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-02 05:10 PM
In response to adnan063

We do not support the use of pre-shared keys with a dynamic IP site-to-site VPN Endpoint, certificate Authentication must be used in this case.

anstelios
Collaborator
‎2020-04-06 07:46 AM
In response to PhoneBoy

Can you please direct me to a document describing configuration for certificate based site-to-site VPN with 3rd party vendor (Fortigate in our case) because it seems I'm not able to find related documentation..

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events