Hi Sagiv, Thanks for your help, it works :)
Regards, >>> [EMAIL PROTECTED] 14.03.2006 21:37:38 >>> This is exactly why I said that you are not going to like it...... You will need to define your encryption domain : Firewall->topology-> manully defind encryption domain And define the same on the fortigate meaning : ALL the networks Sorry, Sagiv -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of SIBEL MEREY Sent: Tuesday, March 14, 2006 11:02 AM To: [email protected] Subject: Re: [FW-1] Site to site VPN between CP NGX R60 and Fortigate Hi Sagiv, I am sory for my English. Speaking and listenings are worse than writing, that so i try to understand with e-mail. Encrption domain is inclueded many networks and hosts for Checkpoint because we are using site-to site or client-to-side VPN's with others. But in my GUI i have put encryption domain as a network for interoperable device which is defined for fortigate. Also i have inform fortigate side for defining VPN domain as a network also. Do you mean this? Sibel >>> [EMAIL PROTECTED] 10.03.2006 19:05:10 >>> What is the encryption domain on the checkpoint ? Define it as well on the Fortigate it self - not the interoptable device It will be easier for me to explaine on phone Sagiv -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of SIBEL MEREY Sent: Friday, March 10, 2006 1:51 PM To: [email protected] Subject: Re: [FW-1] Site to site VPN between CP NGX R60 and Fortigate Hi, If i am not misunderstand, you advice us to define VPN domain not group of hosts, instead defining them with network for both Checkpoint and Fortigate side. And we restrict the accessmet with rules. I have define the interopreble object's VPN domain as net_192.168.201.0 on CP side and on the Fortigate side also they define our domain as net_10.40.0.0. And i have define a rule as 10.40.1.1 192.168.201.1 VPN any log But still it does not works. But i am not sure i am right understand what you mean? Thanks >>> [EMAIL PROTECTED] 09.03.2006 20:37 >>> Hi, As for the user.def, as I said it has been modified so..... What about changing the $FWDIR/conf/objects_5_0.C : ike_use_largest_possible_subnet" to false ? The fast work around for this issue: Basically, the problem occurs when each gateway tell the other gateway what is its encryption domain during packet 1 and pqcket 2 of quick mode. Since there is no overlap (your fw encryption domain is networks 10.0.0.0 and 20.0.0.0 but the fortigate allows to open a VPN tunnel only to 10.0.0.1 and 10.0.0.5 on yor side) the negotiation fails. The way to solve it is to allow the fortigate (define on the fortigate) your entire encryption domain, BUT in the rule base of your firewall to allow access only to 10.0.0.1 and 10.0.0.5 on specific ports. I know it is not the most secure way and that it allows the Fortigate to open VPN tunnel to your entire encryption domain (well not exactly, it allow seccesfull key exchange between your firewall and the fortigate to every machine in your encryption domain BUT the FireWall will only allow trafic to the specific machines that are allowed in the rule base.) Hope it helps (I know it helped me many times). In case you need further clarification please let me know and I will be glad to assist. In case you would like to discuss this issue you can send me your phone no. and I will call you back. keep in mind that I am from Israel and that there are time differenses. Sagiv ________________________________ From: Mailing list for discussion of Firewall-1 on behalf of SIBEL MEREY Sent: Thu 09/03/2006 10:55 To: [email protected] Subject: Re: [FW-1] Site to site VPN between CP NGX R60 and Fortigate Hi Sagiv, We have tried to change user.def file in our NGX but i has not worked. We can not use VYI because our CP is express. You have mentioned "There is one quick work around for this issue but I am not sure you will like it..". Could you send us this solution, maybe it will help us. Thanks >>> [EMAIL PROTECTED] 08.03.2006 17:24 >>> Yes. Checkpoint unlike any other vendor use supernetting. When negotiating for ipsecSA (phase 2) there is no match between the ID's and phase 2 fails. There are several solutions regarding this issue under: "no valid SA" "no proposel chosen" Prior to NGX you should have change " setting ike_use_largest_possible_subnet" to false or modify the $FWDIR/lib/user.def file according to the checkpoint solutions. However, user.def has been modified in NGX so I am not sure this will work. Try to use the VTI - checkpoints new implementation of VPN. There is one quick work around for this issue but I am not sure you will like it.... In case you need further help let me know. Sagiv Filler -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of SIBEL MEREY Sent: Wednesday, March 08, 2006 5:04 PM To: [email protected] Subject: Re: [FW-1] Site to site VPN between CP NGX R60 and Fortigate Excuse me, i don't understand what should i check? Do you mean Checkpoint secureplatform has a hostname for example sisecam. And in FW GUI, firewall/vpn object with the same name and ip address. Do you mean it should be diffrenat name? Thanks >>> [EMAIL PROTECTED] 08.03.2006 15:05 >>> I had a similar issue with R55 and Symantec firewall. The ID information seems to be the hostname/ip address that both firewalls use as their tunnel termination address. please check: in Check Point, the firewall object IP address is set to the internet IP address, or better, the interface IP nearest to the opposite VPN peer. I am not familiar with Fortigate, maybe you can to the same here. also check that on both sides IP Address is set as peer ID instead of hostname. In Cisco devices you can choose between those. hope this helps SIBEL MEREY wrote: >Hi, > >We have set up VPN tunnel between CPNGX R60 on secure platform and >Fortigate200. Althoug Phase1 is OK, Phase2 ""IKE: Quick Mode Received >Notification from Peer: invalid id information" and we can not access >the otherside network. When an expert from Fortigate side says "When I >try to bring up the tunnel, it establishes without problems" >Bytheway If we add fotigate firewall in our VPN domain, there is no VPN >tunnel also for phase1 and phase2. > >Have you any idea? > >Thanks > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************ ************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************ ************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
