Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Fortigate and checkpoint IPSEC VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate and checkpoint IPSEC VPN
Good day,
We have setup an IPSEC VPN between Checkpoint units and Fortigate with multiple subnet. I have managed to setup commnications for tunnels using private ranges but those with public ranges are not working. I believe this is a Configuration issue
The checkpoint administrator on the otherside has told me that checkpoint will only accept packets from one IP address x.x.x.x - which is the public IP address of the Forigate.
Please help me to configure this or a document for this scenario.
Other VPNs are working without problem.
Thanks and Regards
clau
hezvo uko
hezvo uko
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried separating the public IP ranges into a second policy and using a NAT pool?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I am suggesting is that you take the 10.0.0.0, 172.0.0.0 and 192.168.0.0 networks, put them into a policy (or leave them where they are). Then take the remaining (public) networks, place them into a separate policy and use an IP pool for the outgoing traffic. For the pool, use an address range in the private area that works. All traffic going over the tunnel would then be " private" .
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I have no control over the clients behind checkpoints. The clients behind the Checkpoint firewalls are public and I have configured clients Fortigate to be private. However the Check point admin requires the following
1. all communications in the tunnel should come from the public IP address of the Fortigate
2. NAT should be enabled - I am not sure where NAt Traversal or in the firewall policy
So how to I put an IP pool now on the fortigate side? all my clients have private IPs and only communicate using my public IP over the tunnel
When we were testing I Natted on the firewall poly but it did not work - even tried to disable and enable NAT travesal but no luck.
hezvo uko
hezvo uko
Not applicable
Created on 06-14-2010 06:32 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you tried enabling outbound nat on your vpn policies for the checkpoint? this will make the traffic come from one ip address, your external interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have managed to setup commnications for tunnels using private ranges but those with public ranges are not working.Any router that supports VPN easily handles private IP to private IP tunnels that do not overlap. You won' t find a router anywhere that can match the Fortigate at handling overlapping subnets and mapping to public IPs. The implementation and instructions could be better it' s the least crappy available.
Other VPNs are working without problem.You mean VPN' s with other companies that do not NAT are working without problems. If a company asks for you to NAT any addresses then they want them all NAT. You should wonder why if their router is so good then why can' t they do the NAT on their end?
1. all communications in the tunnel should come from the public IP address of the FortigateYou dropped a word. Even if that' s what they said that' s not what they want. They want all communications to come from the public IP address range of the Fortigate. You generally don' t map any private IP to the actual public address of the router to avoid routing problems for the other peer' s network. You have two problems. They don' t know what they' ve asked for and you don' t either. It' s a simple translation of what they, BIG Incorporated, have done and they assume you must do the same thing because they think your router is as incapable as theirs. Perhaps BIG has purchased some /24 netblocks so they own addresses 2.2.2.1-255 for one division and 41.3.3.1-255 for another division. They set their public IP of their checkpoints to 2.2.2.2 and 41.3.3.3. All the rest of the addresses are available for NATting because they think they need to own the addresses to NAT to them. Some routers like Cisco require the NAT IPs to be owned because NAT over IPSec is incorrectly implemented. You, SMALL Incorporated, may have only purchased a single static IP: 6.6.6.6 though you are more likely to have purchased a /29 netblock which would mean you actually own 6.6.6.0-7. The gateway consumes the second address 6.6.6.1 and the router consumes one, preferably on the top or the bottom, so the rest are available for NAT, or so it would seem. BIG is expecting you to NAT whatever private IPs you are providing to the available public IPs and expects you to buy as many public IPs as necessary to NAT all of the machines they need to interface to. They wouldn' t ask that if they had ever used a router that implemented NAT over IPSec correctly. I' ll show an example with some randomly chosen internal addresses of computers and printers where all public IPs are used up: ?: 6.6.6.0 Gateway: 6.6.6.1 10.0.2.54 natip 6.6.6.2 10.0.4.11 natip 6.6.6.3 10.0.3.18 natip 6.6.6.4 10.0.2.11 natip 6.6.6.5 Fortigate: 6.6.6.6 10.0.2.1 natip 6.6.6.7 Having the router in the middle is a routing disaster for the other peer' s network. Either move the Fortigate to one of the ends or forget about NATing to 6.6.6.7. Use it for something else. BIG only wants to communicate to a 6.6.6.x address because that, like all Internet addresses, is already routed in their network to their VPN router and they don' t want VPN peers like you dropping random subnets they can' t administer into their network. >The checkpoint administrator on the otherside has told me that checkpoint will only accept packets from one IP address x.x.x.x - which is the public IP address of the Forigate. This tells me that the other admin does not understand VPN. All VPN already work this way and they do not work any other way. No matter what addresses are chosen, public or private, the only communication that ever occurs over the Internet is between the public IPs of the two peers. 6.6.6.6 ↔ 2.2.2.2 6.6.6.6 ↔ 41.3.3.3 The Internet never sees any communication from 10.0.2.54 or 6.6.6.2. That only happens inside the private networks. >I am not sure where NAt Traversal or in the firewall policy NAT is not similar to NAT Traversal. NAT which for you is NAT over IPSec changes the source or destination addresses as the packet passes through the VPN. NAT Traversal is used when either VPN peer is not on the edge. If you or the other network has another router in front of the VPN router then NAT Traversal is needed. If you were expecting IPSec connections from a client inside a hotel you would need NAT Traversal enabled to pass through the hotel router. If your phase 1 connects then you don' t need NAT Traversal. Policy tunnels are easier to make and NAT is more straightforward than with interface tunnels so start with a policy tunnel. Read the section in the FortiOS VPN documentation about Overlapping Subnets. You' ll be doing that but only on one side. Create a phase 2 in the GUI ph2BIG: 6.6.6.2 ↔ 2.2.2.2/28 Create a policy in the GUI 110: 10.0.2.54 ↔ 2.2.2.2/28 The policy does not match the phase 2 so you might be thinking that you have an orphaned phase 2. These CLI commands that enable the NAT are what connect the phase 2 to the policy:
config firewall policy edit 110 #set natinbound enable set natoutbound enable set natip 6.6.6.2 255.255.255.255 end config vpn ipsec phase2 edit " ph2BIG" set use-natip disable next endAs the packet from 10.0.2.54 passes through the VPN it will be NAT to 6.6.6.2. Returning packets to 6.6.6.2 will be NAT back to 10.0.2.54 before appearing on your network. Create additional policies with natip and tunnels as needed. Sometimes Inbound NAT makes tunnels work properly if something is incorrectly configured. Fix the problem so the tunnel works with or without Inbound NAT. Having to NAT each address is a hassle. It would be much better to rearrange your network a bit. ?: 6.6.6.0 Gateway: 6.6.6.1 Fortigate: 6.6.6.2 10.0.2.3 natip 6.6.6.3 10.0.2.4 natip 6.6.6.4 10.0.2.5 natip 6.6.6.5 10.0.2.6 natip 6.6.6.6 10.0.2.7 natip 6.6.6.7 Create a phase 2 in the GUI ph2BIG: 6.6.6.0/24 ↔ 2.2.2.2/28 Create a policy in the GUI 110: 10.0.2.0/24 ↔ 2.2.2.2/28 In the CLI:
config firewall policy edit 110 #set natinbound enable set natoutbound enable set natip 6.6.6.0 255.255.255.0 end config vpn ipsec phase2 edit " ph2BIG" set use-natip disable next endAll done with a single tunnel and policy. Your main challenge will be getting the admins of the Chokepoints to match your phase 2. Checkpoints are so complicated that few admins know how to configure them. Often a call to Checkpoint support will be necessary and they can since Checkpoints do not function without an active support contract. The NAT is larger than it first appears. Since source NAT over IPSec is implemented properly on the Fortigate you can NAT to public IP addresses you don' t own. Even though you only own 6.6.6.0-7, this tunnel and policy is already NATing: 10.0.2.2-254 natip 6.6.6.2-254 These addresses are already accessible. So when BIG has run you out of owned public addresses, no problem, SMALL has an unlimited number of public IP addresses to use because SMALL' s Fortigate router implements NAT over IPSec correctly. Even if you have only bought a single static IP you still have an unlimited number of public IP addresses to use. The only addresses you can' t use are those that are already being used by one of BIG' s other peers. The next step is to do this with interface tunnels.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,682 -
FortiClient
1,756 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
470 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
243 -
FortiAuthenticator v5.5
234 -
IPsec
207 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1709 | |
| 1093 | |
| 752 | |
| 446 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.