Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dannу
Contributor

Best Practice: How to setup a VPN between FortiGate & Check Point

Hello Fortinet Community,

Q: In your best practice, what are the steps to set up a FortiGate Check Point VPN?

16 REPLIES 16
stekue
New Contributor II

For the first step I’d recommend to fill out a VPN setup sheet with your VPN partner and agree on the settings.

See here: VPN setup sheet template

 

image.png

DanielM
New Contributor

Cool! What would be the next step?

Henny
New Contributor II

As a next step I'd personally recommend to start configuring the Check Point.

 

In Check Point SmartConsole you have to create an Interoperable Device (your FortiGate).

New > Network Object > More > Interoperable Device

There you have to fill in information like the WAN-IP of your FortiGate.

 

Unbenannt.png

 

And the local subnet you want to tunnel from the FortiGate to the Check Point under “Topology”.

 

1.png

 

I would generally advise you to create Network Objects for both, your Check Point local subnet and your FortiGate local subnet to be reachable by VPN.
Best practice: Use Object Names that are self-explanatory.

New > Network

Unbenannt2.pngUnbenannt3.png

 

Best practice: Create a host Object with the IP of the WAN interface of your Check Point, in case the main IP of your Check Point Object is the internal IP address. This object can be used in the rulebase when configuring access rules.

New > Host

Unbenannt4.png

Dannу

@Henny : Hi Hendrik, thanks for the best practices!

I guess the next step is to create a VPN community object within Check Point's SmartConsole and then head over to the FortiGate and configure the VPN there as well?

YannicS
New Contributor II

Yes, securely configure the VPN Community, install the Security Policy to your Check Point VPN Gateway and you should the VPN Tunnel in the monitoring with status: Down. After completing the VPN configuration on your FortiGate, the VPN Tunnel should go up.

Henny
New Contributor II

That’s right @Dannу.

 

Before you create a VPN-Community make sure that your IPsec VPN-Blase is enabled on your Check Point.

 

General Properties > Network Security IPsec > VPN 

Unbenannt5.png


Next step is to create a new VPN Community. (This can be either Star or Mesh VPN)

 

New > More > VPN Community > Star Community

Best practise: Use a name that is self-explanatory.

Select your two Gateways with the Check Point as the Center Gateway and the FortiGate as the Satelite Gateway.

Unbenannt6.png

 

Select the correct encryption parameters you exchanged with your partner. 

Unbenannt7.png

 

Set the shared secret.

Unbenannt8.png

 

Set the correct IKE/IPsec renegotiation times and toggle NAT according to your setup.

Unbenannt9.png

 

After you saved the configuration you’re able to check the state of your VPN tunnel with a SmartConsole Extention where you will be able to see that the tunnel is down because you haven’t configured your FortiGate yet.

Unbenannt10.png

MarEng
New Contributor II

Thanks for the detailed guideline!
I´m looking forward to the FortiGate configuration part.

stekue
New Contributor II

 

Hi @MarEng

for the next step you have to configure the VPN on the FortiGate using the custom VPN. First select a Name:

VPN > IPsec Wizard

 

image20.png

 

Enter the Remote Gateways IP Address and the outgoing interface.

 

image21_2.png

 

Enter the Pre-shared Key you agreed upon as well as IKE-version.

 

image21.png

 

For Phase 1 select the Encryption and Authentication you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.

 

image22.png

 

For Phase 2 enter the Local and Remote Address space.

 

image23.png

 

Under Advanced options you can select the Encryption and Authentication method you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.

 

image24.png

 

In the next step you add new Address objects under
Policy & Objects > Addresses > Create New > Address

 

image25.png

 

For your local subnet:

 

image26.png

 

and for the remote subnet:

 

image27.png

 

for the remote wan:

 

image28.png

 

for your local wan:

 

image29.png

 

You can also add Address Groups if you want to add them to the Firewall Policies instead of the direct Subnets.

Add a static route for your remote subnet pointing to the VPN-Tunnel Interface.
Network > Static Routes > Create New

 

image30.png

 

Add another static Route this time pointing to the Blackhole interface.

 

image31.png

 

Last step is to add Firewall Policies to allow the VPN traffic to pass trough.
Add a New Policies Policy & Objects > Firewall Policy > Create New

 

image32.png

 

First for the traffic going to the VPN-Tunnel from the Port of your Subnet. In this case, NAT is not required.

 

image33.png

 

Then for the traffic coming from the VPN-Tunnel going to the Port of your destination Subnet. In this case NAT not required.

 

image34.png

 

After that, monitor your VPN-tunnel. To check your VPN tunnel health you have to add a new Dashboard-Widget called IPsec
Dashboard > Status > Add Widget

 

image35.png

 

Now, your are able to check Phase 1 and Phase 2 status.

 

image36.png

 

You can then test the connection with a simple ping. Phase 2 should be brought up automatically, provided Phase 1 has been brought up properly.

 

image37.png

 

After this you can check on your FortiGate and Check Point if the tunnel was succsefull brought up.

 

fortinet.png

 

On the Check Point you’re able to check the state of your VPN tunnel with a SmartConsole Extention. Where you are able to see that this tunnel is up too. 

checkpoint.png

Dannу

Thanks, this is really helpful!
Any VPN troubleshooting best practices to know?

Top Kudoed Authors