Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oomar
New Contributor

Created on ‎07-30-2012 12:42 PM

IPSec CheckPoint - Fortigate

Good afternoon all, firstly, manu thanks for your help. We' re trying to bring up an ipsec vpn between two physical host behind a CheckPoint and our Fortigate 310B. Find below the configuration. Phase 1 : OK Phase 2 : error find in attached Src-ip (behind fortigate) 10.0.3.150 for example, mask subnet /24 dst-ip (behind checkpoint) 10.1.11.146, mask subnet /8 Policy rules from vpn tunnel interface to our lan > allow 10.1.11.46/32 to 10.0.3.150/32, accept from lan interface to vpn tunnel > allow 10.0.3.150/32 to 10.1.11.46/32, accept I add a static route to 10.1.11.46 on vpntunnel interface. Same setting in both side, same authentication, same ike, same timeout... I saw many post but nothing explain what I have to set up differently on Checkpoint. If you need more details, feel free to ask me. Best regards,
Preview file
88 KB
1114
0 Kudos
5 REPLIES 5
rwpatterson
Valued Contributor III

Created on ‎07-30-2012 12:49 PM

Welcome to the forums. Since you' re only looking to connect to a single host on both sides, why not narrow down the phase 2 selectors to that single host? (as below:)
Src-ip (behind fortigate) 10.0.3.150 for example, mask subnet /32 dst-ip (behind checkpoint) 10.1.11.46, mask subnet /32
By the way, you had 146 there, but since it' s a class A, it really doesn' t matter.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

761
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎07-30-2012 12:51 PM

Without seeing the checkpoint encryption-domains it' s hard to guess what' s hosed up. Make sure PFS is disable/enable and that the proposals are limited to what your FGT has enabled ( ciphers and DH-grp ) next the checkpoint will need fwpolicies in the same fashion as the FGT.

PCNSE 

NSE 

StrongSwan  

761
0 Kudos
oomar
New Contributor

Created on ‎07-30-2012 04:30 PM

Hello emnoc, rwpatterson to patterson, I already try to set remote host. I mention the subnet mask because the remote network overlap our subnet to emnoc, on the checkpoint we set the same encryption domain, tried PFS disable/enabled. fwpolicies are the same on checkpoint too
761
0 Kudos
ede_pfau
Esteemed Contributor III

Created on ‎07-31-2012 01:49 AM

oomar, you' ve already mentioned the subnet overlap. IMHO the problem is on the CP side. The CP sees the remote subnet as a part of it' s own local subnet. This way the routing will fail. You could - change your (small) subnet to a different range - NAT from the CP side onto e.g. 192.168.y.z/24 I think if you monitor traffic on the VPN tunnel you will see traffic leaving the FGT but never returning. That would confirm the routing theory.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
761
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎08-01-2012 05:35 AM

ORIGINAL: ede_pfau oomar, you' ve already mentioned the subnet overlap. IMHO the problem is on the CP side. The CP sees the remote subnet as a part of it' s own local subnet. This way the routing will fail.
...which is why I suggested using two single host entries. No more overlap.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

761
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.