Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎04-13-2007 12:00 AM

Article Id 191142

FortiGate VPN interoperation with Checkpoint NGX appliance

Article
Introduction

This article describes how to configure an IPSec VPN on a FortiGate unit to work with a Checkpoint NGX firewall VPN. The configuration uses an interface-based VPN, a new feature in FortiOS v3.0.

Users on the network behind the FortiGate unit can communicate with any host on the Checkpoint-protected network. Users on the Checkpoint network can have access to a server on the private network behind the FortiGate unit.

Components
  • FortiGate unit with FortiOS v3.0 firmware
  • Checkpoint NGX firewall appliance
Prerequisites
  • The FortiGate unit must be in NAT mode.
Configure VPN Phase 1

First configure the IPSec VPN phase 1. The virtual IPSec interface is created on the physical interface that connects to the Internet.

To configure using the Web-based Manager:

  1. Go to VPN > IPSec > Auto-Key and select Phase. Enter the following:
    Name VPN name: toSite2
    Remote Gateway Static IP Address
    IP Address The public IP address of the Checkpoint appliance
    Local Interface The interface that connects to the remote VPN: port2
    Authentication Method Preshared Key
    Pre-shared Key Same preshared key configured on the Checkpoint appliance

  2. Select Advanced and enter the following:
    Enable IPSec Interface Mode Enable
    P1 Proposal 1 - Encryption DES, Authentication MD5
    DH Group 2
    Keylife 86400
    Nat-traversal Enable
    Dead Peer Detection Enable

  3. Select OK.

To configure using the CLI:

config vpn ipsec phase1-interface edit "toSite2" set interface "port2" set dpd enable set nattraversal enable set dhgrp 2 set proposal des-md5 set keylife 86400 set remote-gw nnn.nnn.nnn.nnn set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX end
Configure VPN Phase 2

Next configure the IPSec VPN phase 2. The Checkpoint VPN accepts VPN connections from only one address: 192.168.197.168. Set the source selector to that address. The destination is the private network behind the Checkpoint appliance.

To configure using the Web-based Manager:

  1. Go to VPN > IPSec > Auto-Key and select Phase 2.
  2. Enter the following:
    Name A name for the VPN Phase 2 configuration: toSite2_p2
    Phase 1 Phase 1 configuration name: toSite2

  3. Select Advanced and enter the following:
    P2 Proposal 1 - Encryption 3DES, Authentication MD5
    Enable Replay Detection Enable
    DH Group 1
    Autokey Keep Alive Enable
    Source Address 192.168.197.168
    Destination Address 10.185.111.0 255.255.255.0

  4. Select OK.

To configure using the CLI:

config vpn ipsec phase2-interface edit "toSite2_p2" set dhgrp 1 set keepalive enable set phase1name "toSite2" set proposal 3des-md5 set replay enable set src-addr-type ip set dst-subnet 10.185.111.0 255.255.255.0 set src-start-ip 192.168.197.168 end
Configure Firewall Addresses

Create firewall addresses for the private networks at either end of the VPN. "LocalLAN" is the network at the FortiGate unit end and "Site2_net" is the network behind the Checkpoint appliance.

To configure using the Web-based Manager:

  1. Go to Firewall > Address and select Create New.
  2. Enter the following:
    Address Name A name for the address.
    Enter "LocalLAN" for the network behind the FortiGate unit
    Enter "Site2_net" for the network behind the Checkpoint appliance
    Type Subnet/IP Range
    Subnet/IP Range The network address and subnet mask.
    Enter "192.168.100.0 255.255.255.0" for LocalLAN
    Enter "10.185.111.0 255.255.255.0" for Site2_net

  3. Select OK.

To configure using the CLI:

config firewall address edit "LocalLAN" set subnet 192.168.100.0 255.255.255.0 next edit "Site2_net" set subnet 10.185.111.0 255.255.255.0 end
Configure a Firewall Virtual IP Pool

The Checkpoint appliance allows remote VPN peers to connect only from IP address 192.168.197.168. Using the FortiGate unit IP Pool feature, you can replace the user's source IP address with the address 192.168.197.168 that is acceptable to the Checkpoint appliance.

To configure using the Web-based Manager:

  1. Go to Firewall > Virtual IP > IP Pool and select Create New.
  2. Enter the following:
    Name A name for the IP Pool: Site2-Out
    Interface The IPSec interface that connects to the remote VPN peer: toSite2
    IP Range/Subnet The IP address range of the IP Pool: 192.168.197.168

  3. Select OK.

To configure using the CLI:

config firewall ippool edit "Site2-Out" set endip 192.168.197.168 set interface "toSite2" set startip 192.168.197.168 end
Configure a Firewall Virtual IP address

The Checkpoint appliance permits hosts on its network to connect through the VPN only to IP address 192.168.197.168. Using the FortiGate Virtual IP (VIP) feature, you can translate this address to the address of a server on the network behind the FortiGate unit.

To configure using the Web-based Manager:

  1. Go to Firewall > Virtual IP and select Create New.
  2. Enter the following:
    Name A name for the virtual IP address: Static_for_Site2peer
    External Interface The public interface of the FortiGate unit: port2
    Type Static NAT
    External IP Address/Range The external address to be replaced: 192.168.197.168
    Mapped IP Address/Range The virtual IP address to be used on the local network: 192.168.100.173

  3. Select OK.

To configure using the CLI:

config firewall vip edit "Static_for_Site2peer" set extip 192.168.197.168 set extintf "toSite2" set mappedip 192.168.100.173 end
Configure Outgoing Firewall Policy

The outgoing policy allows hosts on the network behind the FortiGate unit to communicate with hosts behind the Checkpoint appliance. The policy uses the IP Pool you created to substitute the source address for one that is acceptable to the Checkpoint appliance.

To configure using the Web-based Manager:

  1. Go to Firewall > Policy and select Create New.
  2. Enter the following and select OK:
    Source Interface/Zone The interface connected to the local network: port1
    Source Address The firewall address of the local network: LocalLAN
    Destination Interface/Zone The interface that connects to the remote network, the virtual IPSec interface: toSite2.
    Destination Address The firewall address of the remote network: Site2_net
    Schedule always
    Service ANY
    Action ACCEPT
    NAT Enable
    Dynamic IP Pool Enable and select the IP Pool: Site2-Out
    Log Allowed Traffic Enable

To configure using the CLI:

config firewall policy edit 3 set srcintf "port1" set dstintf "toSite2" set srcaddr "LocalLAN" set dstaddr "Site2_net" set action accept set schedule "always" set service "ANY" set logtraffic enable set nat enable set ippool enable set poolname "Site2-Out" end
Configure Incoming Firewall Policy

The incoming policy allows communications from the network behind the Checkpoint appliance to the network behind the FortiGate unit. However, the Checkpoint appliance permits its hosts to communicate only to one address: 192.168.197.168. The VIP you defined earlier translates this address to the address of a server on the network behind the FortiGate unit.

To configure using the Web-based Manager:

  1. Go to Firewall > Policy and select Create New.
  2. Enter the following and select OK:
    Source Interface/Zone The interface that connects to the remote network, the virtual IPSec interface: toSite2
    Source Address The firewall address of the remote network: Site2_net
    Destination Interface/Zone The interface connected to the local network: port1
    Destination Address The VIP that maps the fixed Checkpoint appliance destination address to one that is on our local subnet: Static_for_Site2peer
    Schedule always
    Service ANY
    Action ACCEPT
    Log Allowed Traffic Enable

To configure using the CLI:

config firewall policy edit 4 set srcintf "toSite2" set dstintf "port1" set srcaddr "Site2_net" set dstaddr "Static_for_Site2peer" set action accept set schedule "always" set service "ANY" set logtraffic enable end
Configure Routing

You need to specify that the virtual IPSec interface toSite2 is the interface that connects to the network behind the Checkpoint appliance.

To configure using the Web-based Manager:

  1. Go to Router > Static and select Create New.
  2. Enter the following and select OK.
    Destination IP/Mask The IP address/mask of the remote network: 10.185.111.0/255.255.255.0
    Device The interface that connects to the remote network, the IPSec interface: toSite2

To configure using the CLI:

config router static edit 2 set device"toSite2" set dst 10.185.111.0 255.255.255.0 end

Related Articles

List of articles about Fortigate IPSec VPN interoperability

Labels:
19557
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.