Site to Site Forti - Check Point

I would suggest you to please make sure on both the ends all the IPSec parameters should be same, and also capture the packets from the below commands and then try to initiate the tunnel from Checkpoint

diag debug reset

diag debug appl ike -1

diag debug enable

You can also refer the video's at www.video.fortinet.com

Regards,

Somu

EMEA Technical Support

ede_pfau · ‎10-25-2015

hi,

the private networks behind the tunnel ends need to be different from each other - a VPN (usually) connects 2 networks. I see that you might have subnets which are partly overlapping.

But in general, you need to give more information if you expect help. First, find out how to post pictures

Which are the networks (address and network masks), which version of FortiOS, what have you configured so far - VPN parameters, setup etc. IMHO it's far too early for debugging...

Ede

"Kernel panic: Aiee, killing interrupt handler!"

amitbd · ‎10-25-2015

Hi, here my details.

Forti Debug:

http://jpg.co.il/view/562ccb9b820e5.png/

Forti Interface:

http://jpg.co.il/view/562ccbad75e4f.png/

Static Route:

http://jpg.co.il/view/562ccbc208c0c.png/

Forti Policy:

http://jpg.co.il/view/562ccbd48eaa0.png/

Vpn:

http://jpg.co.il/view/562ccbe3b1524.png/

http://jpg.co.il/view/562ccbf8cf525.png/

http://jpg.co.il/view/562ccc0642726.png/

http://jpg.co.il/view/562ccc10347a3.png/

Site Up

[link]http://jpg.co.il/view/562ccc1be5b59.png/[/link]

CheckPoint Encrypt confgiuration:

[link]http://jpg.co.il/view/562ccb415c630.png/[/link]

ede_pfau · ‎10-25-2015

(got to check that again, cannot delete my post...)

Ede

"Kernel panic: Aiee, killing interrupt handler!"

amitbd · ‎10-25-2015

Where is the Quick Mode ?

ede_pfau · ‎10-25-2015

In phase2, "Advanced..." . Set the local network plus netmask, and the remote network (behind the tunnel, the remote LAN) as well. Make sure you have these settings on the CP side as well, and identical.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

amitbd · ‎10-25-2015

This is what I did.

Phase 2 Forti

http://jpg.co.il/view/562d0351bcf4e.png/

Internal -Forti

http://jpg.co.il/view/562d036db8ac4.png/

CheckPoint Rule

http://jpg.co.il/view/562d0382c14bc.png/

LocalVpn CheckPoint

http://jpg.co.il/view/562d038e426d1.png/

Forti Network

http://jpg.co.il/view/562d03a387f11.png/

CheckPoint Internal

[link]http://jpg.co.il/view/562d03b21da51.png/[/link]

ede_pfau · ‎10-25-2015

What are the phase1 and phase2 parameters on the CP side?

From the very first screenshot it looks like the CP puts the WAN addresses into the ph2 QM selectors (whereas the FGT does it right). I would focus on this as it is the reason why the tunnel doesn't get established.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

amitbd · ‎10-25-2015

Hi,

First, thank you about your help.

I uploaded the CP phase1 and phase2 of the Site2Site

[link]http://jpg.co.il/view/562ccb415c630.png/[/link]

This is the parameters of CP phase1+2

http://jpg.co.il/view/562d398d807d1.png/

http://jpg.co.il/view/562d39bd7b626.png/

http://jpg.co.il/view/562d39cad197e.png/

In phase 2 of Forti the parameters is the lan of CP and the lan of Forti/

http://jpg.co.il/view/562d0351bcf4e.png/