Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mando_92
Contributor

IP SEC VPN - Problem with tunnel IP

I have an ipsec vpn between a Fortinet firewall (Fortigate 100D version 6.2.10) and a Check Point firewall (version R81.10)
The problem I am having is the following:


In phase 2 the firewalls negotiate subnets 172.17.1.0/24 (Check Point side) and 172.17.2.0/24 (Fortigate side). Phase 2 goes up correctly and when calls are made from the Fortigate the connection is successful.

 

On the other hand, when the connection is initialized by Check Point even though tunnel 172.17.1.0/24 172.17.2.0/24 has been negotiated, Check Point tries to negotiate a new tunnel with the specific IP of the client that is trying the connection. The tunnel is rejected by Fortigate as it is not the one agreed upon and from the logs I receive the no response from peer error.

Is there a setting on the Check Point to eliminate this problem ?

 

Thanks

0 Kudos
2 Replies

Looks similar to sk165003: When Security Gateway initiates VPN tunnel with 3rd Party peer using IKEv2, VPN tunnel is ... But this has been fixed in R81. So i would suggest to look at Scenario 3 in sk108600: VPN Site-to-Site with 3rd party.

CCSE CCTE CCSM SMB Specialist
(1)
Mando_92
Contributor

Thanks for response!

But the sk165003 and sk108600 indicate by you is NOT the problem encountered (NAT traversal) or Scenario 3 of second sk.

Although a tunnel for the entire subnet has been negotiated /24 Check Point tries to set up a new tunnel for specific ip belonging to that subnet.

What configuration parameters can I affect this thing ?

Thanks

*****************************************************
*****************************************************

I solved the problem by adding on the Fortigate (encryption domain) side the specific ip of the Check Point subnet that establish the connections

 

 

 

 

 

0 Kudos