Hi, I trying to do site to site between forti and checkpoint in my home.
I give to my forti Wan ip - 17.17.17.3 and to my CP - 17.17.17.222 ( before Site2Site have a pint between them ).
forti Lan - 172.16.3.0
CheckPoint Lan - 172.16.0.0
this is what I did.
Hi, here my details.
Forti Debug:
http://jpg.co.il/view/562ccb9b820e5.png/
Forti Interface:
http://jpg.co.il/view/562ccbad75e4f.png/
Static Route:
http://jpg.co.il/view/562ccbc208c0c.png/
Forti Policy:
http://jpg.co.il/view/562ccbd48eaa0.png/
Vpn:
http://jpg.co.il/view/562ccbe3b1524.png/
http://jpg.co.il/view/562ccbf8cf525.png/
http://jpg.co.il/view/562ccc0642726.png/
http://jpg.co.il/view/562ccc10347a3.png/
Site Up
[link]http://jpg.co.il/view/562ccc1be5b59.png/[/link]
CheckPoint Encrypt confgiuration:
[link]http://jpg.co.il/view/562ccb415c630.png/[/link]
ede_pfau wrote:Hi,What are the phase1 and phase2 parameters on the CP side?
From the very first screenshot it looks like the CP puts the WAN addresses into the ph2 QM selectors (whereas the FGT does it right). I would focus on this as it is the reason why the tunnel doesn't get established.
First, Thank you about your replay.
This is the phase 1 +2 of CP
http://jpg.co.il/view/562d3ad9249a6.png/
[link]http://jpg.co.il/view/562d3aed02765.png/[/link]
http://jpg.co.il/view/562d39cad197e.png/
I hope that what you asking.
I think I have finally found the reason for this.
First, have a look at this: http://kb.fortinet.com/kb/viewContent.do?externalId=12091
Although this was written for FortiOS v3 it still applies.
I think the CP will only accept the remote's WAN IP address in the Quick Mode selection, not the private address space behind the FGT. This way, there will never be an address conflict, as WAN addresses are unique, private addresses usually are not.
If you follow the KB article you should be able to have traffic from the FGT to the CP site. The other way will be more difficult as the CP only accepts one 'target' address. You should try it out if the destination NAT on the FGT side will suffice (using a VIP).
- CP does weird stuff
ede_pfau wrote:I dont have option Encryption 3DES. I have only Des.I think I have finally found the reason for this.
First, have a look at this: http://kb.fortinet.com/kb/viewContent.do?externalId=12091
Although this was written for FortiOS v3 it still applies.
I think the CP will only accept the remote's WAN IP address in the Quick Mode selection, not the private address space behind the FGT. This way, there will never be an address conflict, as WAN addresses are unique, private addresses usually are not.
If you follow the KB article you should be able to have traffic from the FGT to the CP site. The other way will be more difficult as the CP only accepts one 'target' address. You should try it out if the destination NAT on the FGT side will suffice (using a VIP).
- CP does weird stuff
All other settings I've set,exept Virtual Ip and it does not help
I upload the tracker message from forti - Amit ( Cp ).
http://jpg.co.il/view/562ddea807ef4.png/
http://jpg.co.il/view/562ddecf67b99.png/
http://jpg.co.il/view/562dded9917d8.png/
http://jpg.co.il/view/562ddee424a68.png/
[link]http://jpg.co.il/view/562ddef81e864.png/[/link]
I can do SiteToSite with WAN 192.168.X.X or I must Original IP ?
From the cited KB article I deduct that you have to use the WAN IP of the FGT in the CP's Quick Mode selector. If you use DES or 3DES doesn't matter much.
Please reread the KB article again to understand what they are doing. You'll see that the VIP (destination NAT) is essential and cannot be left out, or the setup will not work.
BTW, with all that effort, wouldn't it be less trouble and less expensive if you bought a FGT for the other side as well? Just thinking.
ede_pfau wrote:I dont understand where is CP Quick Mode Selector.From the cited KB article I deduct that you have to use the WAN IP of the FGT in the CP's Quick Mode selector. If you use DES or 3DES doesn't matter much.
Please reread the KB article again to understand what they are doing. You'll see that the VIP (destination NAT) is essential and cannot be left out, or the setup will not work.
BTW, with all that effort, wouldn't it be less trouble and less expensive if you bought a FGT for the other side as well? Just thinking.
In my Forti Object on CP have the wan IP of Forti
Sorry, no idea. I have no first-hand experience with CP.
someone else ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.