Site-to-Site VPN to Juniper

snagrat · ‎08-08-2018

I am trying to create a IPSEC VPN from our Fortigate to a Juniper.

On the Fortigate side I have no access to CLI as managed by a third party. I have asked them to look into it but response may be slow.

On the Juniper side, it is again managed by a third party and I have no access.

We have matching algorithms etc and this is the output from the Juniper:

set security ike proposal IKE-PROP1 authentication-method pre-shared-keys

set security ike proposal IKE-PROP1 dh-group group5

set security ike proposal IKE-PROP1 authentication-algorithm sha1

set security ike proposal IKE-PROP1 encryption-algorithm 3des-cbc

set security ike proposal IKE-PROP1 lifetime-seconds 86400

However the tunnel does not come up. The only logs I can see in the Fortigate GUI constantly repeats:

08:16:49 negotiate success progress IPsec phase 1

but it never passes Stage 1 of P1.

Any suggesting why we are not getting past Stage 1 P1?

emnoc · ‎08-08-2018

Will if you don't have access than your 3rd party is trying to create the VPN

So what type of vpn ( route or policy )?

Looking at what you post for the SRX , that cfg is not complete and is not going to work. You can follow a series post/ blog that's over 4+ years old that gives detail view of how it should look from the SRX

https://forum.fortinet.com/tm.aspx?m=102446

and to under proposals and proposal-sets

http://socpuppet.blogspot.com/2014/12/juniper-proposal-sets-ikeipsec.html

On the fortios side define a std cisco-wizard for site2site and set the proxy-ids for the src/dst-subnets and a route and policy.

Ken Felix

PCNSE

NSE

StrongSwan

snagrat · ‎08-08-2018

In the end it worked after I disable NAT Traversal and enabled Autokey Keep Alive.

Site-to-Site VPN to Juniper

Nominate a Forum Post for Knowledge Article Creation