Hi, I trying to do site to site between forti and checkpoint in my home.
I give to my forti Wan ip - 17.17.17.3 and to my CP - 17.17.17.222 ( before Site2Site have a pint between them ).
forti Lan - 172.16.3.0
CheckPoint Lan - 172.16.0.0
this is what I did.
Hi, here my details.
Forti Debug:
http://jpg.co.il/view/562ccb9b820e5.png/
Forti Interface:
http://jpg.co.il/view/562ccbad75e4f.png/
Static Route:
http://jpg.co.il/view/562ccbc208c0c.png/
Forti Policy:
http://jpg.co.il/view/562ccbd48eaa0.png/
Vpn:
http://jpg.co.il/view/562ccbe3b1524.png/
http://jpg.co.il/view/562ccbf8cf525.png/
http://jpg.co.il/view/562ccc0642726.png/
http://jpg.co.il/view/562ccc10347a3.png/
Site Up
[link]http://jpg.co.il/view/562ccc1be5b59.png/[/link]
CheckPoint Encrypt confgiuration:
[link]http://jpg.co.il/view/562ccb415c630.png/[/link]
Hi,
From the given output, not much information we can see.
I would suggest you to please make sure on both the ends all the IPSec parameters should be same, and also capture the packets from the below commands and then try to initiate the tunnel from Checkpoint
diag debug reset
diag debug appl ike -1
diag debug enable
You can also refer the video's at www.video.fortinet.com
Regards,
Somu
hi,
the private networks behind the tunnel ends need to be different from each other - a VPN (usually) connects 2 networks. I see that you might have subnets which are partly overlapping.
But in general, you need to give more information if you expect help. First, find out how to post pictures
Which are the networks (address and network masks), which version of FortiOS, what have you configured so far - VPN parameters, setup etc. IMHO it's far too early for debugging...
Hi, here my details.
Forti Debug:
http://jpg.co.il/view/562ccb9b820e5.png/
Forti Interface:
http://jpg.co.il/view/562ccbad75e4f.png/
Static Route:
http://jpg.co.il/view/562ccbc208c0c.png/
Forti Policy:
http://jpg.co.il/view/562ccbd48eaa0.png/
Vpn:
http://jpg.co.il/view/562ccbe3b1524.png/
http://jpg.co.il/view/562ccbf8cf525.png/
http://jpg.co.il/view/562ccc0642726.png/
http://jpg.co.il/view/562ccc10347a3.png/
Site Up
[link]http://jpg.co.il/view/562ccc1be5b59.png/[/link]
CheckPoint Encrypt confgiuration:
[link]http://jpg.co.il/view/562ccb415c630.png/[/link]
(got to check that again, cannot delete my post...)
Where is the Quick Mode ?
In phase2, "Advanced..." . Set the local network plus netmask, and the remote network (behind the tunnel, the remote LAN) as well. Make sure you have these settings on the CP side as well, and identical.
This is what I did.
Phase 2 Forti
http://jpg.co.il/view/562d0351bcf4e.png/
Internal -Forti
http://jpg.co.il/view/562d036db8ac4.png/
CheckPoint Rule
http://jpg.co.il/view/562d0382c14bc.png/
LocalVpn CheckPoint
http://jpg.co.il/view/562d038e426d1.png/
Forti Network
http://jpg.co.il/view/562d03a387f11.png/
CheckPoint Internal
[link]http://jpg.co.il/view/562d03b21da51.png/[/link]
What are the phase1 and phase2 parameters on the CP side?
From the very first screenshot it looks like the CP puts the WAN addresses into the ph2 QM selectors (whereas the FGT does it right). I would focus on this as it is the reason why the tunnel doesn't get established.
Hi,
First, thank you about your help.
I uploaded the CP phase1 and phase2 of the Site2Site
[link]http://jpg.co.il/view/562ccb415c630.png/[/link]
This is the parameters of CP phase1+2
http://jpg.co.il/view/562d398d807d1.png/
http://jpg.co.il/view/562d39bd7b626.png/
http://jpg.co.il/view/562d39cad197e.png/
In phase 2 of Forti the parameters is the lan of CP and the lan of Forti/
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.