Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Site to Site VPN with Fortigate 60D <-> Junipe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN with Fortigate 60D <-> Juniper SSG140
I have been trying to setup Site to Site VPN between Forigate 60D and Juniper SSG140
but i can seem to get it working.
i already have a IPSec VPN Running using SonicWall <-> Juniper SSG140 and im trying to
replace the SonicWall with Fortigate.
the full details of settings is in the link below,
as this forum does not allow me to attach more than 1 image. i have consolidated into a PDF
and shared out from dropbox.
https://www.dropbox.com/s/6vfkasdkqa4euj1/Site2Site%20VPN.pdf?dl=0
it would be great if you can identify what is missing from my setting.
Thanks!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I couldn't read any of those screen shots , too small ).Could your share the vpn-cfg as-is on the FGT & any diagnostics? Also was the vpn working previous to the sonicwall ( I'm assuming yes on that one )
if you need to redoe the juniper sie ( you should not need to if it was working previously), Juniper has a VPN configuration tool online that works wonders. I wish fortinet would offer a similar tool
[link]http://www.juniper.net/support/tools/vpnconfig/[/link]
On the fortogate, just match the proxy-id, and all ipsec and ike proposal to match the SRX. And rekey the PSK.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I couldn't read any of those screen shots , too small ).Could your share the vpn-cfg as-is on the FGT & any diagnostics? Also was the vpn working previous to the sonicwall ( I'm assuming yes on that one ) if you need to redoe the juniper sie ( you should not need to if it was working previously), Juniper has a VPN configuration tool online that works wonders. I wish fortinet would offer a similar tool http://www.juniper.net/support/tools/vpnconfig/ On the fortogate, just match the proxy-id, and all ipsec and ike proposal to match the SRX. And rekey the PSK.
Appreciate for your advise . I uploaded the clearer picture into my dropbox which is here https://www.dropbox.com/sh/c0l6n8m9y43lj51/AADyoO8xxKtTmRLAVj_b6cnfa?dl=0 . I uploaded the config file also. Could you please check and correct me if my setting is wrong. VPN on sonicwall is working , yes . For the juniper site, I don't need to redo but the relevant person over there will redo the setting. I did set the same credential as per configuration of Juniper. Thanks a mil for your help.
Thanks & regards,
Myat
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yusaku
I was bored and here's the matching fgt cfg for a route-base vpn. Just add policies.
config vpn ipsec phase1-interface
edit "SRX"
set interface "wan1"
set dhgrp 2
set proposal 3des-md5
set negotiate-timeout 200
set remote-gw 1.1.1.1
set psksecret MYSECRETHEREFORPSKVPN
set dpd disable
next
end
config vpn ipsec phase2-interface
edit "SRX-p2"
set auto-negotiate enable
set phase1name "SRX"
set proposal 3des-md5
set pfs enable
set dhgrp 2
set dst-subnet 192.168.222.0 255.255.255.0
set keylifeseconds 3600
set src-subnet 192.168.88.10 255.255.255.255
next
end
config router static
edit 550
set device "SRX"
set dst 192.168.222.0/24
next
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
I was replying when you sent that cfg in, i found your problem.
1: you defined a rt-based vpn
2: this requires a route
3: you can fix your problem by installing a static route under router static
( see my sample cfg )
Note : ensure the PSK are correct
Than you can use the diag vpn ike gateway ( FGT ) and show security ike security-associations ( SRX ) and confirm layer2
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:Thanks
I was replying when you sent that cfg in, i found your problem.
1: you defined a rt-based vpn
2: this requires a route
3: you can fix your problem by installing a static route under router static
( see my sample cfg )
Note : ensure the PSK are correct
Than you can use the diag vpn ike gateway ( FGT ) and show security ike security-associations ( SRX ) and confirm layer2
Hi ,
Thanks much for your help . I already added the static route. I run the two command as you mention above and get the info as per below . Seems like system can't get the second command.
FGT60D4614000706 # diag vpn ike gateway vd: root/0 name: Invera version: 1 interface: wan1 5 addr: 203.126.6.194:500 -> 198.168.207.245:500 created: 5s ago IKE SA: created 1/1 IPsec SA: created 1/1 id/spi: 639 7e96eb44c19a9cda/0000000000000000 direction: responder status: connecting, state 3, started 5s ago FGT60D4614000706 # show security ike security-associations command parse error before 'security' Command fail. Return code -61
Since I already created VPN tunnel, I not need to create the new one as you mentioned above right. PSK are correct. Did you see any incorrect policies for VPN ?
Thanks & Regards,
Myat
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 2nd cmd was meant for SRX
show security ike security-associations
It looks like you phase1 is up, you can check phase2 on FGT
diag vpn tunnel list
and SRX-juniper
show security ipsec security-associations
After that, it's diagnostics flows if you still have problems issues. Ensure firewall-policy(s) are correct. Since your swapping the TZ sonicwall or whatever you have, I highly doubt you need to recfg the SRX branch firewall.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:The 2nd cmd was meant for SRX
show security ike security-associations
It looks like you phase1 is up, you can check phase2 on FGT
diag vpn tunnel list
and SRX-juniper
show security ipsec security-associations
After that, it's diagnostics flows if you still have problems issues. Ensure firewall-policy(s) are correct. Since your swapping the TZ sonicwall or whatever you have, I highly doubt you need to recfg the SRX branch firewall.
Hi appreciate for your help . Fortinet 60D is already configured as I mentioned above . But for the Juniper site still need to redo the configuration, and I also waiting for their confirmation. I will keep you posted again after we test. Thanks again
Thanks & regards,
Myat
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to hear. Just like the FGT60D, if you use a routed-based vpn on the SRX140, you need a route point out your st.X interface. You should have no problems rebuilding the cfg on the SRX140 using the offline cfg-builder, but if the tunnel was working to the Sonicwall, it should work with the FGT60D if the same address are re-used.
[link]http://www.juniper.net/support/tools/vpnconfig/[/link]
## Begin - VPN Configuration Generator Output ## Interface IP and route for tunnel traffic set interfaces st0.1 family inet set routing-options static route 192.168.88.10/32 next-hop st0.1 ## Security zones, assign interfaces to the zones & host-inbound services for each zone set security zones security-zone fortigate60d interfaces st0.1 set security zones security-zone untrust host-inbound-traffic system-services ike ## Address book entries for each zone set security zones security-zone trust address-book address net-cfgrtt_192-168-222-0--24 192.168.222.0/24 set security zones security-zone fortigate60d address-book address net-cfgrtt_192-168-88-10--32 192.168.88.10/32 ## IKE policy set security ike policy ike-policy-cfgrtt mode main set security ike policy ike-policy-cfgrtt proposal-set compatible set security ike policy ike-policy-cfgrtt pre-shared-key ascii-text "mykey" ## IKE gateway with peer IP address, IKE policy and outgoing interface set security ike gateway ike-gate-cfgrtt ike-policy ike-policy-cfgrtt set security ike gateway ike-gate-cfgrtt address 1.1.1.1 set security ike gateway ike-gate-cfgrtt external-interface ge-0/0/0 set security ike gateway ike-gate-cfgrtt general-ikeid set security ike gateway ike-gate-cfgrtt version v1-only ## IPsec policy set security ipsec policy ipsec-policy-cfgrtt proposal-set compatible ## IPsec vpn set security ipsec vpn ipsec-vpn-cfgrtt ike gateway ike-gate-cfgrtt set security ipsec vpn ipsec-vpn-cfgrtt ike ipsec-policy ipsec-policy-cfgrtt set security ipsec vpn ipsec-vpn-cfgrtt bind-interface st0.1 ## Advance Settings set security ipsec vpn-monitor-options interval 10 set security ipsec vpn-monitor-options threshold 10 set security ipsec vpn ipsec-vpn-cfgrtt establish-tunnels on-traffic set security ipsec policy ipsec-policy-cfgrtt perfect-forward-secrecy keys group2 ## Security policies for tunnel traffic in outbound direction set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match source-address net-cfgrtt_192-168-222-0--24 set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match destination-address net-cfgrtt_192-168-88-10--32 set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match application any set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt then permit ## Security policies for tunnel traffic in inbound direction set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match source-address net-cfgrtt_192-168-88-10--32 set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match destination-address net-cfgrtt_192-168-222-0--24 set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match application any set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt then permit The above would be a route-based vpn cfg for a typical SRX. Just modify the outgoing interface , fwpoliciys and zone names and possible proposal type of compatible which should be okay for 3des-sha1 w/pfs. KenPCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Best way to Eval Fortigate 522 Views
- Export configuration in a structured data... 919 Views
- Users do not get VLANs DHCP... 888 Views
- Office365 apps hang at launch for... 1524 Views
- RIP not functioning with Juniper router 1510 Views
Labels
-
FortiGate
8,435 -
FortiClient
1,704 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
543 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
405 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
211 -
FortiWeb
199 -
5.0
196 -
IPsec
183 -
FortiNAC
175 -
FortiGuard
135 -
6.4
128 -
SD-WAN
109 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
51 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1645 | |
| 1070 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.