- Products
- Learn
- Local User Groups
- Partners
- More
AI Security Masters E7:
How CPR Broke ChatGPT's Isolation and What It Means for You
Blueprint Architecture for Securing
The AI Factory & AI Data Center
Call For Papers
Your Expertise. Our Stage
Good, Better, Best:
Prioritizing Defenses Against Credential Abuse
Ink Dragon: A Major Nation-State Campaign
Watch HereCheckMates Go:
CheckMates Fest
Good afternoon everyone,
I am stuck in a tunnel between Fortigate and Checkpoint Spark, phase 1 is not able to negotiate. In this case, the Fortigate has a static public IP and the checkpoint has a blocked IP. At the checkpoint end we are configuring the Peer ID since I understand that it is common to use it in these scenarios but from the checkpoint I do not see how to enter this Peer
Please help me with this question, I am almost sure that this is why phase 1 is not working.
Thanks
Hey bro,
I think we went through this last week, you still cant find that field in smb appliance? By the way, you should really be using ikev2, not ikev1.
Just saying.
Andy
What is a blocked IP? What settings are under peer options? What does the log show in check point? local mgmt or central mgmt?
Also change these encryption methods while you are at it. 3DES is not safe and a real performance killer, esp in p2.
Diffie-hellmangroup 14 atleast
These logs show me in the Fortigate firewall
ike 0:VPN-to-Puno:5057: sent IKE msg (P1_RETRANSMIT): 200.123.xx.xx:500->38.25.17.199:40743, len=168, vrf=0, id=2a7536062b1a05e5/30120e08f9e90f75
ike 0: comes 38.25.17.199:40743->200.123.xx.xx:500,ifindex=7,vrf=0....
ike 0: IKEv1 exchange=Informational id=2a7536062b1a05e5/30120e08f9e90f75:1f0fe142 len=40 vrf=0
ike 0: in 2A7536062B1A05E530120E08F9E90F750B1005001F0FE142000000280000000C0000000001000004
ike 0:VPN-to-Puno: HA state master(2)
ike 0:VPN-to-Puno:5057: ignoring unsupported INFORMATIONAL message 0.
ike 0:VPN-to-Puno:5057: out 2A7536062B1A05E530120E08F9E90F750110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800100058002000480030001800B0001000C000400015180800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN-to-Puno:5057: sent IKE msg (P1_RETRANSMIT): 200.123.xx.xx:500->38.25.17.199:40743, len=168, vrf=0, id=2a7536062b1a05e5/30120e08f9e90f75
ike 0: comes 38.25.17.199:40743->200.123.xx.xx:500,ifindex=7,vrf=0....
ike 0: IKEv1 exchange=Informational id=2a7536062b1a05e5/30120e08f9e90f75:341962f8 len=40 vrf=0
ike 0: in 2A7536062B1A05E530120E08F9E90F750B100500341962F8000000280000000C0000000001000004
ike 0:VPN-to-Puno: HA state master(2)
ike 0:VPN-to-Puno:5057: ignoring unsupported INFORMATIONAL message 0.
ike ::ffff:104.140.188.58 truncated control message 0 16 0
ike 0:VPN-to-Puno:5057: negotiation timeout, deleting
ike 0:VPN-to-Puno: connection expiring due to phase1 down
ike 0:VPN-to-Puno: deleting
ike 0:VPN-to-Puno: deleted
ike shrank heap by 135168 bytes
This clearly tells you why its failing...
Andy
ike 0:VPN-to-Puno:5057: ignoring unsupported INFORMATIONAL message 0.
ike ::ffff:104.140.188.58 truncated control message 0 16 0
ike 0:VPN-to-Puno:5057: negotiation timeout, deleting
ike 0:VPN-to-Puno: connection expiring due to phase1 down
I mean Check Point logs / debugs. These are far more superior 😉