Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kennyt
Explorer

Checkpoint v80.40 IPSEC VPN with 3rd party Fortigate Firewall

HI there, 

newbie here, trying to establish a IPSEC VPN to 3rd party Fortigate FW.

 

below are the logs from Fortigate as i cant find anything much from CP debug IKE.ELG log.

Phase 1 passes except Phase 2(refer to pic or below).

peer proposal is : peer:0:192.168.1.251-192.168.1.251:0, me:0:192.168.200.0-192.168.200.255:0

is the ip in red should be my lan 192.168.220.254 address to correct the issue?

tried many settings but still get there error. where should i config to get the correct peer proposal?

 

My info: 

External: 192.168.1.251, LAN: 192.168.220.254

 

Peer info:

External: 192.168.0.253, LAN: 192.168.200.1

 

 

0 Kudos
8 Replies
Ruan_Kotze
Advisor

Looks like the encryption domain on your gateway is blank (are you using route-based VPN's?) or is not matching what the FG expects.

One option might be to use the Encryption Domain per Community functionality, and make your encryption domain for this community contain something like 192.168.220.0/24 (assuming that's what you have configured on the FG side) and then see what the FG debugs say.  Also try disabling NAT inside the community.

0 Kudos
G_W_Albrecht
Legend
Legend

192.168.200.220.254 ???

CCSE CCTE SMB Specialist
0 Kudos
Ruan_Kotze
Advisor

Good catch, corrected.  OP's LAN IP.

0 Kudos
kennyt
Explorer

Hi, 

i'm using domain-based VPN

0 Kudos
G_W_Albrecht
Legend
Legend

See sk108600: VPN Site-to-Site with 3rd party for basic issues in CP to 3rd party VPN. I would suggest capturing the traffic and analyze using wireshark - see sk34467: Debugging Site-to-Site VPN.

CCSE CCTE SMB Specialist
0 Kudos
kennyt
Explorer

HI, 

I'm actually refer to sk108600 to setup these connection 

0 Kudos
G_W_Albrecht
Legend
Legend

You should rather refer to Site to Site VPN R81.10 Administration Guide p.41: VPN with Interoperable Device for configuration, sk108600 is for troubleshooting / debugging.

CCSE CCTE SMB Specialist
0 Kudos
kennyt
Explorer

Hi, 

Will lookup to it. 

Thanks

0 Kudos