Please let me know if there are special areas that I should look at I manage Fortigate and the other guy manages Juniper we are both convinced everything is ok on our sides.

debug at both sides and share that info. if you' re running fortiOS 3.x, use cli commands: diag debug application ike -1 <IP_juniper_peer> diag debug enable at Juni' s side, these CLI commands are your friends: get sa debug ike detail undebug all gt dbuf stream

Hi everyone, If you look over the KB from Fortinet the last part which asks I create a rule: To configure firewall policies 1. Go to Policy > Policies. 2. Enter the following, then select OK: From Trust To Untrust Name A name for the policy, Site1toSite2 for example. Service ANY Action Permit 3. Go to Policy > Policies. 4. Enter the following, then select OK: From Untrust To Trust Name A name for the policy, Site2toSite1 for example. Service ANY Action Permit ---- Doesn' t make sense to me. I' m allowing all untrusted to trust and vice-versa?

Yes that normal, some where in your cfg you identified you local-LAN and remote-Subnet ( VPN ) and id these ars trust & untrust. e.g set address Trust " inside" 172.16.10.253 255.255.255.0 set address Trust " internal" 172.16.10.0 255.255.255.0 set address Untrust " 192.168.254.0/24" 192.168.254.0 255.255.255.0 set ike p1-proposal " AA" preshare group2 esp 3des md5 set ike p2-proposal " bb" group2 esp 3des md5 second 3600 set ike gateway " vyatta-test" address 216.25x.xx.34 Main outgoing-interface " untrust" preshare " qI/Vuv33NVXQNms58RC+N1PhJ/nZGmQFEw==" proposal " AA" " AA" set ike respond-bad-spi 1 unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access- session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set vpn " vyatta" gateway " vyatta-test" no-replay tunnel idletime 0 proposal " bb" set vpn " vyatta" monitor set vpn " vyatta" id 1 bind interface tunnel.1 set url protocol sc-cpa exit set vpn " vyatta" proxy-id local-ip 172.16.10.0/24 remote-ip 192.168.254.0/24 " ANY" set policy id 36 name " local-mia2" from " Trust" to " Untrust" " internal" " 192.168.254.0/24" " ANY" permit log set policy id 36 exit set policy id 35 name " mia2" from " Untrust" to " Trust" " 192.168.254.0/24" " internal" " ANY" permit log set policy id 35 exit set policy id 1 from " Trust" to " Untrust" " Any" " Any" " ANY" permit set policy id 1 exit So you still need a fw-policy allowing for this traffic to go both ways. Do a " get ike" and " get sa" and for validation of the fwpolicy " get policy" . You still will need a fwpolicy for the vpn to work.

Hey, thanks for the great post. If I gave you the correct IP' s do you think you could modify your config just so I can really grasp it. Local (behind Juniper) 10.110.10.0/24 Local (external IP of Juniper) 24.300.12.23 DR Site (behind FG110C) 192.168.90.23/255.255.255.255 (yes, only one device) DR Site (external) 38.108.34.100 (this is the FG110C external IP ) Thanks a million!

# #define your networks, I always place these as trust ( my internals ) and untrust # any other networks # # ( inside network ) # set address Trust " inside" 10.110.10.0 255.255.255.0 # # ( remote lan ) # set address Untrust " 192.168.90.23” 255.255.255.255 # # # optional but I create various proposal and define these in my p1/p2 cfg # # ( this line says proposal AA = PSK DH-grp=2, esp-3des, md5 ) # set ike p1-proposal " AA" preshare group2 esp 3des md5 # # # ( this line states p2 proposal name=bb, DH-grp=2,esp-3des,with md5, SA time 3600secs ) # set ike p2-proposal " bb" group2 esp 3des md5 second 3600 # # # Now define the gw with a name and the remote address # set ike gateway " theothervpn-gw" address 38.108.34.100 Main outgoing-interface " untrust" preshare “your-psk-here” proposal " AA" " AA" /* replace the psk with your key that matches the remote, define the right proposals */ # you might want to read up on vpn monitor but should not be required in your case set vpn " vpn01" gateway " theothervpn-gw" no-replay tunnel idletime 0 proposal " bb" set vpn " vpn01" monitor set vpn " vpn01" id 1 bind interface tunnel.1 /* define the proxy-id space, IT MUST MATCH , I' ve had zero luck with 0.0.0.0/0, so define the left & right subnet here */ # set vpn " vpn01" proxy-id local-ip 10.110.10.0/24 remote-ip 192.168.90.23/24 " ANY" # lastly define your fwpolicy for allowance of the traffic # # ( do a get policy and use new policy ID numbers ) # set policy id 36 name " fw1" from " Trust" to " Untrust" " internal" " 10.110.10.0/24" " ANY" permit log # set policy id 35 name " fw1-other" from " Untrust" to " Trust" " 192.168.90.23/32" " internal" " ANY" permit log Keynotes from the juniper side of things; get config | inc vpn get ike get sa get vpn get policy All of the above commands are your friends on the juniper SG. Make sure you do not set encryption on your fwpolicy in this case. That would be the same as a policy-base vpn in fortigate terms. You will notice FGT & SSG are not that much different after you do about dozen of so. FGT is just a better juniper imho I ' m not going to go thru the fgt side of the config. You should use any one of the numerous examples found on this forum, internet or KB. keynotes from the FGT side of things; make sure you set a static route if your using vpn interfaces, match fgt proxy-ids to the juniper SSG, match p1/p2 proposals, or provide proposals that matches the other side, double check your fwpolices. diag vpn ike status diag vn tunnel stat diag vpn tunnel list " id or name " All of the above are great debug commands for the fgt. If you need help, I could possible help you if you provide me a door in.

I' m going to give it a shot sometime today and let you know. Thank you so much for this; I really appreciate it!