Skip to main content
icom
icom
New Member
March 15, 2018
Question

Can I change VPN administrative distance without creating trouble?

  • March 15, 2018
  • 2 replies
  • 22350 views

Hi, 

 

I have problems with creating a Site-to-site between a 60E(behind nat/router and a old Juniper FW. 

The fortigate is claiming the tunnell is up and the same about the juniper, but no traffic is passing

 

last log entry on juniper:IKE 85.x.x.x Phase 2 msg ID e17d3fc6: Completed negotiations with SPI 694e0051, tunnel ID 7, and lifetime 3600 seconds/0 KB.

 

On both Fortigate and Juniper i created firwall policies and added static routes.

 

Is this about interface administrative distance? 

On my fortigate my vpn interface is having a distance of "10" and my 0.0.0.0/0 is set to 5 (WAN1)

 

Can is change my vpn distance without causing any trouble? I wonder if this is the problem.. that my fortigate is trying to route through WAN1 and not VPN/IPSEC.

 

 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 15, 2018

    Unless you want to route everything (0/0) into the tunnel, it shouldn't have anything to do with your problem. You must have set more specific static routes into the tunnel.

    You need to sniff traffic on both ends to see where it's going or why it's dropped  (flow debug on fortigate, Juniper FW probably has similar capability) if it's dropped somehow.

    ericli_FTNT
    Staff
    ericli_FTNT
    Staff
    March 15, 2018

    icom wrote:

    Hi, 

     

    I have problems with creating a Site-to-site between a 60E(behind nat/router and a old Juniper FW. 

    The fortigate is claiming the tunnell is up and the same about the juniper, but no traffic is passing

     

    last log entry on juniper:IKE 85.x.x.x Phase 2 msg ID e17d3fc6: Completed negotiations with SPI 694e0051, tunnel ID 7, and lifetime 3600 seconds/0 KB.

     

    On both Fortigate and Juniper i created firwall policies and added static routes.

     

    Is this about interface administrative distance? 

    On my fortigate my vpn interface is having a distance of "10" and my 0.0.0.0/0 is set to 5 (WAN1)

     

    Can is change my vpn distance without causing any trouble? I wonder if this is the problem.. that my fortigate is trying to route through WAN1 and not VPN/IPSEC.

     

     

    What did you get from "diag vpn tunnel list"?

    emnoc
    emnoc
    New Member
    March 15, 2018

    I 'm a heavy   SRX  guy ;)

     

    1: is this a rt-base vpn

     

    2: do you have a st.tunnel interface on the  SRX

     

    3: Have you applied a route ( rt-based ) on the SRX and  FGT for the traffic in the  encryption-domain

     

    4: what are your selector-id ( quad 0s or src/dst specific ......) e.g  1.1.1.0/24 or 0.0.0.0/0:0

     

    5: http://socpuppet.blogspot.com/2013/09/vpn-ikev2-juniper-to-fortigate-routevpn.html

     

    6: I woud run a diag debug  flow on the FGT and validate any simple errors ( lack of fwpolicy, deny,  spoof, route lookup )

     

    dump your config from the FGT/SRX and we can  review it

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 15, 2018

    No, the most matching route is chosen, and the distance is only compared if 2 or more routes are available.

    But, you could be right with your assumption that the traffic is routed out of the WAN interface IF the route pointing to the tunnel is wrong - mistyped address or wrong netmask. In this case, the default route is the only suitable one and will be followed.

    Terms & ConditionsAccessibility statement