Checkpoint to FortiGate

John_Stoker · ‎06-19-2007

Has Anyone, Ever been able to get a successful site-to-site VPN between Any Checkpoint to Any FortiGate on Any Code??? We' ve got a Checkpoing NG R60 HA Cluster trying to connect to a FortiGate 200A on 3.0 code. We know where the problem lies: Mismatch on the FortiGate QUICK MODE SELECTOR and what Checkpoint calls the ENCRYPTION DOMAIN. doing a diag debug en and and a diag debug app ike 99 shows the problem. The checkpoint wants to show a single source and destination host for the Quick Mode/Encryption Domain, but the FG wants to see a subnet not just a host, because there are multiple hosts that will be using the VPN. In the CLI you can specify groups of host using addresses and groups rather the subnets. This may work, but we have been unsuccessful in our attempts. Has anyone been able to get this to work??? Here' e what we' re seeing on the mismatch when we specify subnets and they specify hosts: [size=1] fg-box # diag debug app ike 99 fg-box # 0: comes 110.110.110.254->77.77.77.1,ifindex=2.... 0: Exchange=32 Message=0xC59B2C56 len=164 0: checking fg-cp-vpn 77.77.77.1 -> 110.110.110.254:500 0:fg-cp-vpn: phase1 found 0:fg-cp-vpn:1845: received payloads HASH SA NONCE ID ID 0:fg-cp-vpn:1845: responder received first quick-mode message 0:fg-cp-vpn:1850: peer proposal is: peer:110.110.110.34, me:77.77.77.0/255.255.255.0, ports=0/0, protocol=0/0 0:fg-cp-vpn:1850: trying fg-cp-vpn-p2 0:fg-cp-vpn:1850: specified selectors mismatch fg-cp-vpn: - remote: type=7/7, ports=0/0, protocol=0/0 0:fg-cp-vpn:1850: local=77.77.77.0-77.77.77.255, remote=110.110.110.34-110.110.110.34 0:fg-cp-vpn:1850: - mine: type=7/7, ports=0/0, protocol=0/0 0:fg-cp-vpn:1850: local=77.77.77.0-77.77.77.255, remote=110.110.110.0-110.110.110.255 0:fg-cp-vpn:1850: no matching phase2 found Negotiate SA Error: Peer' s id payloads do not match local policy. [530] 0:fg-cp-vpn:1845: sending INFO message INVALID_ID_INFORMATION to peer 0:fg-cp-vpn:1845: send IKE Packet(Info Mode):77.77.77.254:500(if2) -> 110.110.110.254:500, len=68 0:fg-cp-vpn:1845: transmitted 68 bytes fg-cp-vpn: Responder: parsed 110.110.110.254 quick mode message #1 (ERROR) 0:fg-cp-vpn:1850: delete state [/size] Most importantly: [size=1] 0:fg-cp-vpn:1850: local=77.77.77.0-77.77.77.255, remote=110.110.110.34-110.110.110.34, 0:fg-cp-vpn:1850: - mine: type=7/7, ports=0/0, protocol=0/0 0:fg-cp-vpn:1850: local=77.77.77.0-77.77.77.255, remote=110.110.110.0-110.110.110.255 0:fg-cp-vpn:1850: no matching phase2 found Negotiate SA Error: Peer' s id payloads do not match local policy. [530] [/size] Any help would be appreciated. Thanks,

John CISSP, FCNSP Adv(thanks)ance

abelio · ‎06-19-2007

Hello John, we' ve followed once http://kc.forticare.com/default.asp?id=2091&SID=&Lang=1 to adjust phase2 and build the Vip pool that CP wants to see. Did you tried that doc?

regards

/ Abel

John_Stoker · ‎06-19-2007

Did it work that way? I actually just got it to work! It was a mismatch issue and we got it resolved. The third party client setup their Checkpoint where the FG saw a single source and a subnet (/24) destination. I had to go into the CLI and change the phase 2 to use a group name, not a subnet/ip, for the destination. The third party client had several IPs so I created addresses for all of them and put them in a group, then I used that group name for the destination network in the quick mode selector and used a group name for the source as well. However, the FG didn' t like a name for destination and a subnet for the source, so I created a address name containing the subnet. eg: config vpn ipsec phase2-interface edit " FG-CP-p2" set dhgrp 1 set dst-addr-type name set keepalive enable set phase1name " FG-CP" set proposal 3des-sha1 3des-md5 set replay enable set src-addr-type name set dst-name " CP-public-ip-group" *Includes several address names* set src-name " FG-public-ip group" *Includes the public IP subnet* next end

John CISSP, FCNSP Adv(thanks)ance

romanr · ‎06-19-2007

Hi There, We do have running Tunnels between Fortigate and Checkpoint. It worked with several 2.8 and 3.0 versions of FortiOS. The Checkpoint isn' t under my control so I don' t know the versions there! We use wildcards (0.0.0.0/0) in the phase 2 selection and do the rest (even NAT) via the policies! This has worked out easily without any problems!! cheers.roman

John_Stoker · ‎06-20-2007

Thanks for the response! We got it to work as well, but were unsuccessful using wildcards (0.0.0.0/0). I, as well, don' t have access to the Checpoints so I don' t know the config on that side either. That' s most likely why the wildcards didn' t work for us (a difference in the CP config). So just curious, did this happen to be a VPN setup to a third-party EDI compliance company? Thanks again,

John CISSP, FCNSP Adv(thanks)ance

John_Stoker · ‎06-20-2007

FYI: If anyone wants a generic config of what we setup just reply to this post. It' s pretty thorough on the FortiGate config.

John CISSP, FCNSP Adv(thanks)ance

Smart40 · ‎06-21-2007

Hi John, Pls. do send me the config for the setup I am doing it at one of the customer having checkpoint. My email id: surendra.jangam@logix.in regards

Report Inappropriate Content · ‎06-22-2007

Hello all, I had a similar problem between our FortiGate and a Cisco Concentrator. We were trying to send from a single host address defined in the FortiGate as X.X.X.X/32. What the 500A sent was X.X.X.X/X.X.X.X while it should have sent is X.X.X.X/255.255.255.255. Changing to a /30 it sends X.X.X.X/255.255.255.252 and the Cisco was happy. FortiNet has confirmed this is a bug in the MR4 we' re running and will be fixed in a future MR5. wttw, Dave

zentobbe · ‎01-09-2008

John! Please mail me the config aswell! tobbe@saldab.se -tnx

Report Inappropriate Content · ‎04-09-2008

John, Can you please send me the config? tvd@pandora.be Can you explain if you used policy or interface based vpn and how the firewall policies looked Thanx