ospf vpn fortigate -juniper

Is the opsf neighborship coming up?

Check the mtu of vpn interface on our side and juniper side (mostly our side will be 1436)

I believe you are running ospf over ipsec.

The diag debug flow is your friend.

Also just like with Fortigate , we are assuming the  juniper is in interface mode. Have you done a diag sniffer on the FGT and a traceoption on the SRX?

e.g

  set security flow traceoptions file mybadtunnel

  set security flow traceoptions flag basic-datapath

  set security flow traceoptions packet-filter MatchTraffic source-prefi x.x.x.x/32 destination-prefix y.y.y.y/32

   commit

( x.x.x.x <>y.y.y.y ) would be your tunnel assigned address for the  ospf neighbors )

and then review the trace;

    show log mybadtunnel

You can get creative and execute shell and use tcpdump on the st.X interface also ;)

Make sure you have define the ospf area correct and neighbors. These should be configured in a pt2pt vrs multicaccess.

Ken

Op, you really need to get a packet capture/traceoptions  on multicast group 224.0.0.5. If the hello/deadtime/mtu/auth/ospftype are mismatched , than it will clearly be present in the  pcap.

On the fortigate you can't set the  mtu on a interface-ipsec. On the  juniper I would start by looking at the interface  mtu

show interface <name> extensive detail

and run a trace

set protocol ospf traceoption file myospf

set protocol ospf traceoption flag all

But you need to get a pcap or trace, that would be your best for double checking if you have any of the above mismatches.

Following steps are required:

On Fortigate:

1)Make sure you are using 0.0.0.0 source and 0.0.0.0 destination quick mode selector in vpn

2) Give an ip to tunnel interface:

     edit "(name of the tunnel interface to juniper)"        

        set ip 192.168.1.1 255.255.255.252         set allowaccess ping https ssh         set type tunnel         set remote-ip 192.168.1.2 (This ip should be assigned on Juniper tunnel interface)        

3) It is better to ignore mtu for ospf (if it is difficult to match mtu on both sides)

     config ospf-interface             edit "xxx"                 set interface "name of tunnel interface"                 set mtu-ignore enable                 set network-type point-to-point

On Juniper:

1) Quick mode selector is 0.0.0.0

2) St interface ip is set to 192.168.1.2/255.255.255.252

3) mtu-ignore enabled under ospf

4) Make sure either host inbound traffic allows all or ospf on zone 

If you still face the problem:

get router info ospf neighbor 

diagnose ip router ospf all

diag debug enable

Run similar traceoptions on SRX

Though I am pretty sure if  you configure the above ospf should work.

Also the reason we have to use 0.0.0.0 as quick mode selector because the ospf packet will come on Fortigate with source ip as tunnel interface ip of juniper which will not be part of quick mode selector so it will get dropped by flow.

Juniper doesn't care about it though.