- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: IPsec Checkpoint R80.10 and Fortinet issue. On...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.
Hi!,
I have a problem creating a VPN between checkpoint and fortinet. The VPN is up but I only have traffic (for example ping) in the direction of Fortinet towards checkpoint.
The rules is well created as other community VPNs that work fine.
Do you know if there is any special configuration so that there is traffic on the VPN in the direction Checkpoint-> Fortinet?
The community VPN configuration of the checkpoint is the same as that installed with other FWs such as Dlinks firewalls and Dlink works fine.
My checkpoint model is 5600 Appliance, running 80.10 Gaia SO.
My configuration:
-Destination firewallL: IP public
-Ike v1
-main mode
-encryption AES.
-VPN tunnel per subnet
- local and remote network are /24 mask
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look for drop logs. If nothing, fw ctl zdebug drop.
Also, check routes. Fortinet VPN domain should be routed to the external interface of your CP FW.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet VPN domain should be routed to the external interface of your CP FW. -> This is done moreover, I configure IPSEC vpn between two fortis with the policies and routes and it works well. (attach photo).
fw ctl zdebug drop -> I will try this command but in the tracert window Gaia I get the packets with encrypted VPN accepted. Should I run that command out of production?I have read that it could lower the performance of the Fw.
Thanks and Regards!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You keep sending me pictures from Forti. There is no point.
If I understand you correctly, with the tunnel up, you can reach CP VPN domain from Forti side, but the opposite does not work. Is it correct?
If yes, check what happens with the traffic on Check Point side. Is it sent to the tunnel? Is it dropped? Is it routed somewhere else, clear text? Depending on the answer, we can point a finger to the issue and fix
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I going to run fw ctl zdebug tool.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On CP, do you have FW rules allowing connectivity to the remote VPN site?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have a similar problem with a fortinet. Attach you an image. The VPN issue is about IKE when I need connect the checkpoint to Fortinet. I followed all instructions from How to set up a Site-to-Site VPN with a 3rd-party remote gateway. Can you help me?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Fortinet can successfully initiate to the Check Point because when the Check Point is the responder it is not picky about getting an exact match for the IKE Phase 2 subnets/Proxy-IDs proposed by the Fortinet, as long as the proposed subnets fall completely within the defined VPN domains for both peers the Check Point will accept it.
However when the Check Point is the initiator, as the responder the Fortinet is VERY PICKY and its subnets configuration must exactly match what is being proposed by the Check Point or it will fail. Everything including subnet mask length must match exactly. See my response in this thread for how to force the Check Point to propose exactly what the Fortinet wants so it will match exactly:
Alternatively, if you are using R80.40+ on both management and gateway, there is a new capability to create user-defined VPN domains for both participating gateways on a per-community basis that will give you the granularity needed to match what the Fortinet is expecting in the Phase 2 proposal from the Check Point. You will also experience this same "picky" behavior with Juniper and Sonicwall among others.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!