This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fcecilia
Explorer
‎2020-03-24 01:28 AM

IPsec Checkpoint R80.10 and Fortinet issue. Only traffic in one direction.

Hi!,

 

I have a problem creating a VPN between checkpoint and fortinet. The VPN is up but I only have traffic (for example ping) in the direction of Fortinet towards checkpoint.

The rules is well created as other community VPNs that work fine.
Do you know if there is any special configuration so that there is traffic on the VPN in the direction Checkpoint-> Fortinet?

The community VPN configuration of the checkpoint is the same as that installed with other FWs such as Dlinks firewalls and Dlink works fine.

My checkpoint model is 5600 Appliance, running 80.10 Gaia SO.

My configuration:

-Destination firewallL: IP public

-Ike v1

-main mode

-encryption AES.

-VPN tunnel per subnet

- local and remote network are /24 mask

 

Regards.

Preview file
3 KB
0 Kudos
9 Replies
_Val_
Admin
Admin
‎2020-03-24 03:57 AM

Look for drop logs. If nothing, fw ctl zdebug drop. 

Also, check routes. Fortinet VPN domain should be routed to the external interface of your CP FW.

0 Kudos
fcecilia
Explorer
‎2020-03-24 04:18 AM
In response to _Val_

 

Fortinet VPN domain should be routed to the external interface of your CP FW. -> This is done moreover, I configure IPSEC vpn between two fortis with the policies and routes and it works well. (attach photo).

 

fw ctl zdebug drop -> I will try this command but in the tracert window Gaia I get the packets with encrypted VPN accepted. Should I run that command out of production?I have read that it could lower the performance of the Fw.

Thanks and Regards!

 

 

Preview file
35 KB
0 Kudos
_Val_
Admin
Admin
‎2020-03-24 04:41 AM
In response to fcecilia

You keep sending me pictures from Forti. There is no point.

If I understand you correctly, with the tunnel up, you can reach CP VPN domain from Forti side, but the opposite does not work. Is it correct?

If yes, check what happens with the traffic on Check Point side. Is it sent to the tunnel? Is it dropped? Is it routed somewhere else, clear text? Depending on the answer, we can point a finger to the issue and fix 

0 Kudos
fcecilia
Explorer
‎2020-03-24 05:11 AM
In response to _Val_

CP VPN domain is up also but I cant ping to fortinet subnet.

Ok I going to run fw ctl zdebug tool.
0 Kudos
_Val_
Admin
Admin
‎2020-03-24 05:48 AM
In response to fcecilia

On CP, do you have FW rules allowing connectivity to the remote VPN site?

0 Kudos
fcecilia
Explorer
‎2020-03-25 02:30 AM
In response to _Val_

Yes, I have the rules allowing connectivity to Fortinet.
0 Kudos
oscars
Explorer
‎2021-11-08 02:50 PM
In response to _Val_

Hi, I have a similar problem with a fortinet. Attach you an image. The VPN issue is about IKE when I need connect the checkpoint to Fortinet. I followed all instructions from How to set up a Site-to-Site VPN with a 3rd-party remote gateway. Can you help me?

Preview file
218 KB
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-03-24 08:34 AM

The Fortinet can successfully initiate to the Check Point because when the Check Point is the responder it is not picky about getting an exact match for the IKE Phase 2 subnets/Proxy-IDs proposed by the Fortinet, as long as the proposed subnets fall completely within the defined VPN domains for both peers the Check Point will accept it.

However when the Check Point is the initiator, as the responder the Fortinet is VERY PICKY and its subnets configuration must exactly match what is being proposed by the Check Point or it will fail.  Everything including subnet mask length must match exactly.  See my response in this thread for how to force the Check Point to propose exactly what the Fortinet wants so it will match exactly:

https://community.checkpoint.com/t5/General-Topics/IPsec-VPN-between-fortigate-v5-6-and-CheckPoint-R...

Alternatively, if you are using R80.40+ on both management and gateway, there is a new capability to create user-defined VPN domains for both participating gateways on a per-community basis that will give you the granularity needed to match what the Fortinet is expecting in the Phase 2 proposal from the Check Point.  You will also experience this same "picky" behavior with Juniper and Sonicwall among others.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
fcecilia
Explorer
‎2020-03-25 02:29 AM
In response to Timothy_Hall

The remote subnet (192.168.0.X/24) and the local subnet (10.190.0.X/24) are correctly configured with mask / 24 both. I will try to do the configuration proposed in Scenario 1 of sk108600 and see if it works. My version is R80.10.
Thanks!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events