Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
luk89as
Explorer

VPN S2S from CP 1550 to FG 30E not PING

Hello,

I have a configured and active VPN tunnel between CP 1550 and FG 30E (VPN Site to Site)

The tunnel is active with FG I can ping and access the network on the Checkpoint side. However, I cannot ping from Chackpoint to Fortigate.

I attach entries in the firewall in the post.

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend

Why the second Outgoing Rule - Source behind FG target CP ??? And i see no rules defined in incoming & VPN traffic, so i wonder how this should work ?

I would just follow Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.25 Locally Managed Administration Guide pp.26ff !

0 Kudos
luk89as
Explorer

I'm sending an additional screen.

I don't know how to set up static routing from CP1550 to VPN.

I don't know VPN in static routing settings - next hop

0 Kudos
G_W_Albrecht
Legend
Legend

Just follow the admin guide - i think your manual rules are wrong... Usually, no manual routing is needed as we have a VPN community.

0 Kudos
G_W_Albrecht
Legend
Legend

This is part of my rulebase from 1550, Policy normal, VPN working:

vpn.png

0 Kudos
luk89as
Explorer

Hello,

As you saw on the screen sent by me, I have the same rules.

With time, I added manually the ones that you can see.

Since I can ping from the FG 30E side, the Checkpoint network (I have access to LAN) insists that IKE Phase 1 and Phase 2 are ok on both sides.

It looks like the CP 1550 is not letting traffic into the VPN tunnel from its LAN, although the LOGs show that traffic is entering the tunnel but no response.

I also don't understand that I am getting an error on my VPN test.

If I had an error in IKE Phase 1 or Phase 2 configuration, the connection would not be active and I certainly wouldn't be able to get from the FG 30E LAN to the CP 1550 network.

0 Kudos
Timothy_Hall
Champion
Champion

When the Check Point attempts to initiate the tunnel to Fortigate the proposed subnets/Proxy-IDs in IKEv1 Phase 2 must PRECISELY match how the Fortigate is configured, whereas if the Fortigate initiates the tunnel the Check Point will accept a subset of the Phase 2 subnets in lieu of a precise match and still allow the VPN tunnel to start.  There have been numerous prior CheckMates threads about this, see scenario #1 of  sk108600: VPN Site-to-Site with 3rd party

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com