Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BlueGrass
Contributor

What are the exact VPN behaviours on Security Gateway if we are using Main and aggressivemode?

Hi all,

 

I am trying to build up a VPN with Fortigate these days.

 

And find something interesting.

 

I just configure the Fortigate as Third party devices on the SMS,

put the Fortigate and my CheckPoint gateway to the same Star Community,

define both site Firewall Phase2 local and remote networks and confirm they are the same but reversed.

using the same encryption method for both Firewalls,

and set them up as the Main mode.

 

VPN is then up, but traffic is not working as expected.

No traffic can be found on Fortigate side. 

 

The debug on the Fortigate finds that

The Checkpoint comes with TWO proxy ID:

The first one: both local and remote networks
The seond one: the Checkpoint wan IP and Fortigate wan IP for the VPN buildup

Even if add one more Phase 2 on Fortigate trying to match the CheckPoint announced one, no luck.

 

Then I try to change using aggressive mode for both sites.

This time comes with only one proxy ID from the CheckPoint during Fortigate debug:

The only one ID: 0.0.0.0/0 for both local and remote

So, I follow it and change Fortigate site VPN phase 2 proxy ID to only one and is 0.0.0.0/0 as well.

 

Traffic is now good and able to pass throught the VPN.

 

I just wonder Why!?

0 Kudos
1 Reply
Chris_Atkinson
Employee Employee
Employee

VPN interop can be fun at times, some vendors are quite particular about what Proxy IDs/networks they will accept in a proposal sent by our gateways.  You will almost certainly need to make some of the changes described here: 

sk108600: VPN Site-to-Site with 3rd party.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events