I hope you are referring to a site to site vpn configuration between Fortigate and Checkpoint. Once you have the phase 1 and phase 2 parameter information from both the peers, you can follow the below link to set up VPN from Fortigate end
On the FGT side, most best practices mentioned also apply:
- create address objects for the networks to be proteced, and those on the CP
to be used here:
- in the phase2
- in static route
- in the policy
This way, you only have to edit one central object to change the network definition, or add more networks.
Be careful when you need to tunnel multiple networks. Some firewalls allow the use of an address group in phase2, like the FGT. Some will only allow one phase2 definition for each network, like a Cisco ASA. Check that with CP.
Also, check if you can use IKEv2, or IKEv1 only. You need to know in advance.
All other IKE and IPsec parameters are pretty common, just make sure they match. On the FGT side, I would not offer a zillion proposals, just the one I know will be supported and be safe enough for my purposes.
The only parameter which might be difficult to implement is DPD. There are vendors who do not support this, or in a different fashion.
All 3 configs mentioned above are needed before an IPsec tunnel will come up in FortiOS. Specifically, no policy - no tunnel.
And, lastly, the one Best Practice for VPNs above all: install blackhole routes for all private networks! I've been posting this several times on this forum with explanations, you might find it useful.
Great illustrations and explanation. For those who know both FGT and CP, the most important catch in configuring IPSec is that Checkpoint will not accept 0.0.0.0/0 as encryption domain from the Fortigate in its usual domain-based VPN set up. Either use specific selector(s) on Fortigate that will match what Checkpoint expects, or use route-based VPN on CP (with VTI and routes).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.