Hey,

Waiting on Fortinets side for the routing to see if we don't have to do NAT anymore, the tunnel has been up since your help

Thank you

Glad we can help you. By the way, since I dont solely rely on what SV monitor says, I always check tunnels either via vpn tu or below commands (just replace peer IP)

vpn tu list peer_ike ip-addr
vpn tu list peer_ipsec ip-addr

Also, you can see below script.

Andy

https://community.checkpoint.com/t5/Scripts/One-liner-to-show-VPN-S2S-tunnels-on-gateway/m-p/150205#...

Seeing this using vpn tu list peer_ipsec

IKEv2 SA <2cd47b8f8aa26545,7c083f976be72321>
INBOUND:
1. 0x7796ce33 (i: 3)
OUTBOUND:
1. 0x17ebb514 (i: 3)

Promising sign my friend 🙂

Andy

If I had access to the Fortinet it would be so much easier than waiting, 1 - 24 hours for a response each time

Well, I get it, but I can tell you MANY way worse things in life...like now having electricity for 7 days lol. Im sure they will confirm.

Andy

Lol oh I know, live in South Africa we are always having power issues

South Africa, I had seen many other issues there too, sadly :-(. Anyway, keep us posted, hope all this has positive outcome.

Andy

So we can hit the Fortigate gateway when before we couldn't, now just if I try to hit a server behind the Forti gateway the packet leaves the CP GW and then gets lost and no responses

Sounds like thats something on their end.

Have them do this from below site my colleague created while back.

Andy

https://tcpdump101.com/#

-just replace the IP address

diagnose debug disable
diagnose debug flow trace stop6
diagnose debug flow filter6 clear
diagnose debug reset
diagnose debug flow filter6 addr 2.2.2.2
diagnose debug flow trace start6 50
diagnose debug enable

 From the Forti gateway

 To the Forti gateway, something is stopping the communication to Forti

Can you see any drops on CP with zdebug?

Andy

dont get any logs on zdebug using

fw ctl zdebug + drop | grep 41.21.231.203

I would have them do those debug flows.

Andy

Just to let you know, we got the IPsec tunnel up and working after I got hold of a Fortinet technician to assist on their side

   Can you share with the community what exactly was fixed? Any technical details?

Mainly the traffic selectors were incorrect on the Fortinets side, and gateway configuration, instead of using the IP's that we were trying to get to communicate with they were terminating the connection on the firewall side, rules had to be reconfigured along with ensuring multiple traffic selectors weren't enabled

Excellent, thanks for letting us know.

Andy

Check Point 3800, GAiA, Build 335, Kernel 3.10.0

R81.10

Did you review sk108600: VPN Site-to-Site with 3rd party ? Had a Forti once where the customer had to exclude WAN GW IP from Enc Domain to make it work. I would ask CP TAC for help!