This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GSecurity
Participant
3 weeks ago

IPSEC to Fortigate

Good afternoon everyone,

 

I am stuck in a tunnel between Fortigate and Checkpoint Spark, phase 1 is not able to negotiate. In this case, the Fortigate has a static public IP and the checkpoint has a blocked IP. At the checkpoint end we are configuring the Peer ID since I understand that it is common to use it in these scenarios but from the checkpoint I do not see how to enter this Peer 

ftg2.jpg

Please help me with this question, I am almost sure that this is why phase 1 is not working.

Thanks

0 Kudos
9 Replies
the_rock
Legend
Legend
3 weeks ago

Hey bro,

I think we went through this last week, you still cant find that field in smb appliance? By the way, you should really be using ikev2, not ikev1.

Just saying.

Andy

0 Kudos
Lesley
Leader Leader
Leader
3 weeks ago

What is a blocked IP? What settings are under peer options? What does the log show in check point? local mgmt or central mgmt?

Also change these encryption methods while you are at it. 3DES is not safe and a real performance killer, esp in p2. 

Diffie-hellmangroup 14 atleast

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
GSecurity
Participant
3 weeks ago
In response to Lesley

These logs show me in the Fortigate firewall

ike 0:VPN-to-Puno:5057: sent IKE msg (P1_RETRANSMIT): 200.123.xx.xx:500->38.25.17.199:40743, len=168, vrf=0, id=2a7536062b1a05e5/30120e08f9e90f75
ike 0: comes 38.25.17.199:40743->200.123.xx.xx:500,ifindex=7,vrf=0....
ike 0: IKEv1 exchange=Informational id=2a7536062b1a05e5/30120e08f9e90f75:1f0fe142 len=40 vrf=0
ike 0: in 2A7536062B1A05E530120E08F9E90F750B1005001F0FE142000000280000000C0000000001000004
ike 0:VPN-to-Puno: HA state master(2)
ike 0:VPN-to-Puno:5057: ignoring unsupported INFORMATIONAL message 0.
ike 0:VPN-to-Puno:5057: out 2A7536062B1A05E530120E08F9E90F750110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800100058002000480030001800B0001000C000400015180800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN-to-Puno:5057: sent IKE msg (P1_RETRANSMIT): 200.123.xx.xx:500->38.25.17.199:40743, len=168, vrf=0, id=2a7536062b1a05e5/30120e08f9e90f75
ike 0: comes 38.25.17.199:40743->200.123.xx.xx:500,ifindex=7,vrf=0....
ike 0: IKEv1 exchange=Informational id=2a7536062b1a05e5/30120e08f9e90f75:341962f8 len=40 vrf=0
ike 0: in 2A7536062B1A05E530120E08F9E90F750B100500341962F8000000280000000C0000000001000004
ike 0:VPN-to-Puno: HA state master(2)
ike 0:VPN-to-Puno:5057: ignoring unsupported INFORMATIONAL message 0.
ike ::ffff:104.140.188.58 truncated control message 0 16 0
ike 0:VPN-to-Puno:5057: negotiation timeout, deleting
ike 0:VPN-to-Puno: connection expiring due to phase1 down
ike 0:VPN-to-Puno: deleting
ike 0:VPN-to-Puno: deleted
ike shrank heap by 135168 bytes

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to GSecurity

This clearly tells you why its failing...

Andy

ike 0:VPN-to-Puno:5057: ignoring unsupported INFORMATIONAL message 0.
ike ::ffff:104.140.188.58 truncated control message 0 16 0
ike 0:VPN-to-Puno:5057: negotiation timeout, deleting
ike 0:VPN-to-Puno: connection expiring due to phase1 down

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to GSecurity

@GSecurity Did you do debug on CP side?

Andy

0 Kudos
Lesley
Leader Leader
Leader
3 weeks ago
In response to GSecurity

I mean Check Point logs / debugs. These are far more superior 😉 

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
(1)
GSecurity
Participant
3 weeks ago
In response to Lesley

These are the phase 1 and 2 configurations for both ends

Preview file
111 KB
Preview file
140 KB
Lesley
Leader Leader
Leader
3 weeks ago
In response to GSecurity

From the screenshot I cannot see why it should not work. 

From security point of view. Enable PFS on both sides with minial diffiehellmangroup 14 or higher (not 2)

Same please for p1. Second change the aes-128 to aes-256 on p1 and p2 and you are good. 

What do the logs show if you filter on remote public IP you see anything comming in? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to GSecurity

Do basic debugs on both ends.

CP:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

check vpnd and ike files in $FWDIR/logs

FGT:

diag debug app ike -1

diag debug enable

-check what comes up on the screen, messages are usually easy to "decipher" as far as the issue

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955

Just run di de di command once done, though on Fortigate thats usually not even needed to disable the debug, as they are so light, if you left them on for some time, nothing would happen to the box, though by default, they stop after 30 mins, just to save cpu/memory resources.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events