IPSEC VPN to checkpoint with dynamic IP and certificate auth

You need to setup a peer and apply that in the cfg on the fortios 

[ike 0:VPN_COL_CENTRAL:18: peer cert, subject='remotegteway.mydomain', issuer='My Root CA' ike 0:VPN_COL_CENTRAL:18: peer ID does not match cert ike 0:VPN_COL_CENTRAL:18: certificate validation failed

]

The above is telling you when validating the remote-peer, that the cert is not valid.

Checkout this in this blog I wrote 

http://socpuppet.blogspot.com/2020/04/strongswan-to-forticlient-with-rsa.html

{ it's strongswan but the concept is the same }

Go down to the bottom where it explains how to do the "config user peer". I would extract the CN from the chkp certificate and set the cn value to match on that  and obvious the root-CA needs to be imported into the fortios.

Go into the chkp sec-gw and look at. the IPSEC_VPN and find the internal_ca ( that's typically the default name ) and extract the details to use in the fortios device. look at the DN . It should be in a format 

Subject:CN=<checkpoint_blah_blah VPN Certificate>, O=clustername

HINT: to make it easier overall, enroll and sign a csr on the checkpoint using the internal_ca < ipsec vpn ,  Add > and use that in the FGT. It would make life much easier. Forcepoint ( aka stonegate works pretty much the same  fwiw ) 

Also when building the vpn-community,  DO NOT set a PSK  in that field. just leave it blank.  You can also grab a pcap once you id the wan interface and extract the details to see what is happening if you still see failures or use ikeview

e.g

  tcpdump -s0 -w ike.pcap -i eth0.199 port 500 or 4500 

I hope that helps, let us know what you encounter. Maybe one day I will write a post on my blog on how to accomplish all of the above , but it's pretty much straight forward 1-2-3 

Ken Felix