Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oomar
New Contributor

IPSec CheckPoint - Fortigate

Good afternoon all, firstly, manu thanks for your help. We' re trying to bring up an ipsec vpn between two physical host behind a CheckPoint and our Fortigate 310B. Find below the configuration. Phase 1 : OK Phase 2 : error find in attached Src-ip (behind fortigate) 10.0.3.150 for example, mask subnet /24 dst-ip (behind checkpoint) 10.1.11.146, mask subnet /8 Policy rules from vpn tunnel interface to our lan > allow 10.1.11.46/32 to 10.0.3.150/32, accept from lan interface to vpn tunnel > allow 10.0.3.150/32 to 10.1.11.46/32, accept I add a static route to 10.1.11.46 on vpntunnel interface. Same setting in both side, same authentication, same ike, same timeout... I saw many post but nothing explain what I have to set up differently on Checkpoint. If you need more details, feel free to ask me. Best regards,
5 REPLIES 5
rwpatterson
Valued Contributor III

Welcome to the forums. Since you' re only looking to connect to a single host on both sides, why not narrow down the phase 2 selectors to that single host? (as below:)
Src-ip (behind fortigate) 10.0.3.150 for example, mask subnet /32 dst-ip (behind checkpoint) 10.1.11.46, mask subnet /32
By the way, you had 146 there, but since it' s a class A, it really doesn' t matter.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
emnoc
Esteemed Contributor III

Without seeing the checkpoint encryption-domains it' s hard to guess what' s hosed up. Make sure PFS is disable/enable and that the proposals are limited to what your FGT has enabled ( ciphers and DH-grp ) next the checkpoint will need fwpolicies in the same fashion as the FGT.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
oomar
New Contributor

Hello emnoc, rwpatterson to patterson, I already try to set remote host. I mention the subnet mask because the remote network overlap our subnet to emnoc, on the checkpoint we set the same encryption domain, tried PFS disable/enabled. fwpolicies are the same on checkpoint too
ede_pfau
Esteemed Contributor III

oomar, you' ve already mentioned the subnet overlap. IMHO the problem is on the CP side. The CP sees the remote subnet as a part of it' s own local subnet. This way the routing will fail. You could - change your (small) subnet to a different range - NAT from the CP side onto e.g. 192.168.y.z/24 I think if you monitor traffic on the VPN tunnel you will see traffic leaving the FGT but never returning. That would confirm the routing theory.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

ORIGINAL: ede_pfau oomar, you' ve already mentioned the subnet overlap. IMHO the problem is on the CP side. The CP sees the remote subnet as a part of it' s own local subnet. This way the routing will fail.
...which is why I suggested using two single host entries. No more overlap.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors