Introduction |
This article describes how to configure an IPSec VPN on a FortiGate unit to work with a Juniper Networks Secure Services Gateway (SSG). The example shown here is route-based, but a policy-based VPN is also possible. |
Components |
- FortiGate unit running FortiOS v3.0 firmware, MR5 or later
- Juniper Networks SSG with firmware version 6.0.0r3.0
|
Prerequisites |
- The FortiGate unit and the Juniper SSG unit must be in NAT mode.
|
Configure FortiGate VPN Phase 1 |
To configure using the Web-based Manager
- Go to VPN > IPSec > Auto-Key and select Phase 1.
- Enter the following:
Name |
VPN name: toSSG, for example |
Remote Gateway |
Static IP Address |
IP Address |
the public IP address of the Juniper appliance, 172.30.69.108, for example |
Local Interface |
the interface that connects to the remote VPN: WAN1 |
Mode |
Main (default) |
Authentication Method |
Preshared Key |
Pre-shared Key |
same preshared key configured on the Juniper appliance |
- Select Advanced and enter the following:
Enable IPSec Interface Mode |
Enable |
P1 Proposal |
1 - Encryption 3DES, Authentication SHA1 (default) Delete proposal 2 |
DH Group |
2 |
Keylife |
28800 |
Nat-traversal |
Enable |
Dead Peer Detection |
Enable |
- Select OK.
To configure using the CLI:
Using the example configuration, enter the following commands: config vpn ipsec phase1-interface
edit "toSSG"
set interface wan1
set dpd enable
set dhgrp 2
set proposal 3des-sha1
set keylife 28800
set nattraversal enable
set remote-gw 172.30.69.108
set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
end
|
Configure FortiGate VPN Phase 2 |
To configure using the Web-based Manager
- Go to VPN > IPSec > Auto-Key and select Phase 2.
- Enter the following:
Name |
A name for the VPN Phase 2 configuration: Tunnel-FG-SSG, for example |
Phase 1 |
Phase 1 configuration name: toSSG |
- Select Advanced and enter the following:
P2 Proposal |
1 - Encryption 3DES, Authentication SHA1 Delete proposal 2 |
Enable replay detection |
Enable |
Enable perfect forward secrecy |
Enable |
DH Group |
2 |
Keylife |
1800 seconds |
Autokey Keep Alive |
Disable |
- Select OK.
To configure using the CLI
Using the example configuration, enter the following commands: config vpn ipsec phase2-interface
edit Tunnel-FG-SSG
set dhgrp 2
set keepalive disable
set phase1name toSSG
set proposal 3des-sha1
set pfs enable
set replay enable
set keylife-type seconds
set keylifeseconds 1800
end
|
Configure FortiGate Firewall Addresses |
Create firewall addresses for the private networks at either end of the VPN.
To configure using the Web-based Manager
- Go to Firewall > Address and select Create New.
- Enter the following:
Address Name |
A name for the address. For example: "LocalLAN" for the network behind the FortiGate unit "Site2_net" for the network behind the Juniper appliance |
Type |
Subnet/IP Range |
Subnet/IP Range |
The network address and subnet mask. For example, Enter "10.10.10.0 255.255.255.0" for LocalLAN Enter "192.168.2.0 255.255.255.0" for Site2_net |
- Select OK.
To configure using the CLIUsing the example configuration, enter the following commands: config firewall address
edit "LocalLAN"
set subnet 10.10.10.0 255.255.255.0
next
edit "Site2_net"
set subnet 192.168.2.0 255.255.255.0
end
|
Configure FortiGate Outgoing Firewall Policy |
The outgoing policy allows hosts on the network behind the FortiGate unit to communicate with hosts behind the Juniper appliance.
To configure using the Web-based Manager
- Go to Firewall > Policy and select Create New.
- Enter the following and select OK:
Source Interface/Zone |
The interface connected to the local network: internal |
Source Address |
The firewall address of the local network: LocalLAN |
Destination Interface/Zone |
The interface that connects to the remote network: toSSG
|
Destination Address |
The firewall address of the remote network: Site2_net |
Schedule |
always |
Service |
ANY |
Action |
ACCEPT |
To configure using the CLI
Using the example configuration, enter the following commands: config firewall policy
edit 1
set srcintf internal
set srcaddr LocalLAN
set dstintf toSSG
set dstaddr Site2_net
set action accept
set schedule always
set service ANY
end
To prevent unencrypted data from leaving the FortiGate, refer to KB article:- FortiOS Protecting data for muliple subnets when IPSec Tunnel Fails |
Configure FortiGate Incoming Firewall Policy |
The incoming policy allows hosts on the network behind the Juniper appliance to communicate with hosts behind the FortiGate unit.
To configure using the Web-based Manager
- Go to Firewall > Policy and select Create New.
- Enter the following and select OK:
Source Interface/Zone |
The interface that connects to the remote network: toSSG
|
Source Address |
The firewall address of the remote network: Site2_net |
Destination Interface/Zone |
The interface connected to the local network: internal |
Destination Address |
The firewall address of the local network: LocalLAN |
Schedule |
always |
Service |
ANY |
Action |
ACCEPT |
To configure using the CLI
Using the example configuration, enter the following commands: config firewall policy
edit 2
set srcintf toSSG
set srcaddr Site2_net
set dstintf internal
set dstaddr LocalLAN
set action accept
set schedule always
set service ANY
end
|
Configure Juniper SSG interfaces |
This Juniper SSG appliance is configured using its WebUI. Refer to Juniper documentation for detailed information.
To configure Juniper SSG interfaces
- Go to Network > Interfaces.
- Select Edit for the interface that connects to the LAN.
- Enter the following:
Zone Name |
Trust |
Static IP |
Select |
IP Address/Netmask |
Enter the address of the interface that connects to the LAN: 192.168.2.99, for example. |
- Select Apply.
- Select Internet Mode NAT and then select OK.
- Go to Network > Interfaces.
- Select Edit for the interface that connects to the remote VPN gateway.
- Enter the following:
Zone Name |
Untrust |
Static IP |
Select |
IP Address/Netmask |
Enter the address of the remote VPN gateway: 202.85.110.138, for example. |
- Select Apply.
- Select Internet Mode NAT and then select OK.
To configure Juniper SSG tunnel interface
- Go to Network > Interfaces.
- Select Tunnel IF and then select New.
- Enter the following and select Apply:
Tunnel Interface Name |
Enter a name: tunnel.1, for example. |
Zone (VR) |
Select Untrust (trust-vr). |
Unnumbered |
Select |
Interface |
Select the interface that connects to the remote VPN gateway: ethernet3, for example. | |
Configure Juniper SSG VPN settings |
To configure Juniper SSG VPN
- Go to VPNs > AutoKey Advanced > Gateway and select New.
- Enter the following and select OK:
Gateway Name |
Enter a name: toFortiGate, for example. |
Security Level |
Custom |
Remote Gateway Type |
Static IP Address |
Static IP Address |
The FortiGate unit VPN gateway address, 172.16.110.138 |
Preshared Key |
The same preshared key value as configured on the FortiGate unit. |
- Select Advanced.
- Enter the following and select Return:
Security Level |
Custom |
Phase 1 Proposal |
3des-sha |
Mode (Initiator) |
Main (ID Protection) | |
Configure Juniper SSG routing |
You need to configure routing to send and receive traffic for the remote private network through the VPN tunnel.
To configure the routes for VPN traffic
- Go to Network > Routing > Routing Entries > trust-vr.
- Enter the following and select OK:
Network Address/Netmask |
0.0.0.0/0 |
Gateway Interface |
The interface that connects to the remote VPN gateway: ethernet3, for example. |
Gateway IP Address |
The IP address of the remote Gateway Interface, 172.16.110.138, for example. |
- Go to Network > Routing > Routing Entries > trust-vr.
- Enter the following and select OK:
Network Address/Netmask |
The address of the remote LAN, 192.168.2.0/24 for example. |
Gateway Interface |
The tunnel interface: Tunnel.1, for example. |
Gateway IP Address |
0.0.0.0 | |
Configure Juniper SSG firewall policies |
To configure firewall addresses
- Go to Policy > Policy Elements > Addresses > List > New.
- Enter the following, then select OK:
Address Name |
A name for the local LAN, Site1_LAN for example. |
IP Address |
The IP Address for the local LAN, 10.10.10.254/24 for example. |
Zone |
Trust |
- Go to Policy > Policy Elements > Addresses > List > New.
- Enter the following, then select OK:
Address Name |
A name for the remote LAN, Site2_LAN for example. |
IP Address |
The IP Address for the remote LAN, 192.168.2.0/24 for example. |
Zone |
Untrust |
To configure firewall policies
- Go to Policy > Policies.
- Enter the following, then select OK:
From |
Trust |
To |
Untrust |
Name |
A name for the policy, Site1toSite2 for example. |
Service |
ANY |
Action |
Permit |
- Go to Policy > Policies.
- Enter the following, then select OK:
From |
Untrust |
To |
Trust |
Name |
A name for the policy, Site2toSite1 for example. |
Service |
ANY |
Action |
Permit | |
Test the VPN from the FortiGate unit |
- Configure the ping function to originate from the Internal interface.
execute ping-options source 10.10.10.6
- Ping the private network behind the Juniper SS unit.
exec ping 192.168.2.99
|
Test the VPN from the Juniper SSG unit |
- Ping the private network behind the FortiGate unit.
ping 10.10.10.6 from ethernet0/0
- Type the escape sequence to end.
|
Troubleshooting |
There are several tools available to troubleshoot VPNs:
VPN monitors
- VPN > Monitor on the FortiGate unit.
- VPNs > Monitor Status on the Juniper SSG unit.
Event Logs
- Log&Report > Log Access on the FortiGate unit.
- Reports > System Log > Event on the Juniper SSG unit.
Diagnostic commands
- FortiGate unit -
diag vpn tunnel list
- Juniper SSG -
get sa |