This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kennyt
Explorer
‎2022-05-09 08:59 PM

Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

HI there, 

newbie here, trying to establish a IPSEC VPN to 3rd party Fortigate FW.

 

below are the logs from Fortigate as i cant find anything much from CP debug IKE.ELG log.

Phase 1 passes except Phase 2(refer to pic or below).

peer proposal is : peer:0:192.168.1.251-192.168.1.251:0, me:0:192.168.200.0-192.168.200.255:0

is the ip in red should be my lan 192.168.220.254 address to correct the issue?

tried many settings but still get there error. where should i config to get the correct peer proposal?

 

My info: 

External: 192.168.1.251, LAN: 192.168.220.254

 

Peer info:

External: 192.168.0.253, LAN: 192.168.200.1

 

 

Preview file
172 KB
0 Kudos
8 Replies
Ruan_Kotze
Advisor
‎2022-05-10 12:33 AM

Looks like the encryption domain on your gateway is blank (are you using route-based VPN's?) or is not matching what the FG expects.

One option might be to use the Encryption Domain per Community functionality, and make your encryption domain for this community contain something like 192.168.220.0/24 (assuming that's what you have configured on the FG side) and then see what the FG debugs say.  Also try disabling NAT inside the community.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-05-10 01:51 AM
In response to Ruan_Kotze

192.168.200.220.254 ???

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ruan_Kotze
Advisor
‎2022-05-10 02:28 AM
In response to G_W_Albrecht

Good catch, corrected.  OP's LAN IP.

0 Kudos
kennyt
Explorer
‎2022-05-10 07:36 AM
In response to Ruan_Kotze

Hi, 

i'm using domain-based VPN

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-05-10 12:33 AM

See sk108600: VPN Site-to-Site with 3rd party for basic issues in CP to 3rd party VPN. I would suggest capturing the traffic and analyze using wireshark - see sk34467: Debugging Site-to-Site VPN.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
kennyt
Explorer
‎2022-05-10 02:18 AM
In response to G_W_Albrecht

HI, 

I'm actually refer to sk108600 to setup these connection 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-05-10 03:30 AM
In response to kennyt

You should rather refer to Site to Site VPN R81.10 Administration Guide p.41: VPN with Interoperable Device for configuration, sk108600 is for troubleshooting / debugging.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
kennyt
Explorer
‎2022-05-10 07:37 AM
In response to G_W_Albrecht

Hi, 

Will lookup to it. 

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events