Re: Site to Site VPN Issue (Checkpoint to Fortigat...

Dim134267

Dear All,

Good day,

The past 6 months I have been experiencing an issue with a VPN tunnel I have between two offices, Site A has a Checkpoint 1550 (R81.10.17 ) and site B has a Fortigate 80F (7.4.5 Build 2702). Users from site A need access to site B in order to access programs and folders they need(nothing special). Even though I have checked numerous times the configuration on both machines, and even though the tunnel appears to be active from both sides, I can't reach site A from site B and vice versa(ping, traceroute, RDP). The funny thing is, is that the problem fixes itself some of the times, either randomly or due to a reboot of the machines. I am not that familiar with firewalls in general, and that is why I came here to seek assistance from the experts. I can provide you with any information you might need, that will lead to a permanent solution.

Awaiting yours.

PhoneBoy

There should be corresponding log entries on both ends that correlate with the drops, which I suspect are caused by misconfigured settings on one or both ends.
This behavior, absent further details, sounds like the various timers are set differently on both ends; they need to agree.

General VPN debugging on the Check Point side: https://support.checkpoint.com/results/sk/sk180488
Common issues with Check Point and other vendors: https://support.checkpoint.com/results/sk/sk108600

Dim134267

Many thanks for the prompt reply, what logs would assist you? From which module should I draw the logs?

the_rock

Hey @Dim134267

We are here to help, no worries. I had done many FGT to CP tunnels, so Im fairly familiar on that subject. For starters, lots of people may just leave fgt side as universal, 0.0.0.0/0. Is that how its configured? What about cp end? Is tunnel management in vpn community set per subnet, gw or host?

Any relevant logs you can share?

Andy

Dim134267

Many thanks for the prompt relpy.

Where do I check if the fgt or the cp side is universal?

Also, regarding the tunnel management where can I see how it is configured?

Finally, what kind of logs would assist you?

the_rock

Any logs related to this tunnel, ie you can search for external IP of fortigate in the logs. I attached 2 screenshots of what I meant for the tunnel.

Andy

Jonatan_Frei

👏

the_rock

I have fully licensed Fortigate in the lab, so can test bunch of this stuff.

Andy

Danny

@Dim134267 : Your description sounds familiar. The issue fixes itself when the other side establishes the VPN tunnel. Looks like only one of your VPN gateways is able to establish the VPN successfully.

I've created a HowTo for proper VPN configuration between a Check Point and a FortiGate. Enjoy.

Dim134267

Dear Danny,

Many thanks for the detailed answer, I will try to follow the instructions you have given and let you know of the result.

But the issue I have is that I don't know how to access the Smart Console, I only have access to main hub of the FW. Is it the same?

Danny

@Dim134267 : I see that you are locally managing a Check Point SMB 1550 Appliance via its Embedded Gaia WebUI. That's not the same as centralized management via SmartConsole, so you'll need to adopt the shown steps to your local WebUI configuration.

Dim134267

Dear Danny

Below you will find the current configuration of the firewalls.

From the WebGUI I don't know what logs to download, in order to send you the file and assist further.

Are you a member of CheckMates?

Site to Site VPN Issue (Checkpoint to Fortigate)