I have been trying to setup Site to Site VPN between Forigate 60D and Juniper SSG140
but i can seem to get it working.
i already have a IPSec VPN Running using SonicWall <-> Juniper SSG140 and im trying to
replace the SonicWall with Fortigate.
the full details of settings is in the link below,
as this forum does not allow me to attach more than 1 image. i have consolidated into a PDF
and shared out from dropbox.
https://www.dropbox.com/s/6vfkasdkqa4euj1/Site2Site%20VPN.pdf?dl=0
it would be great if you can identify what is missing from my setting.
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sorry I couldn't read any of those screen shots , too small ).Could your share the vpn-cfg as-is on the FGT & any diagnostics? Also was the vpn working previous to the sonicwall ( I'm assuming yes on that one )
if you need to redoe the juniper sie ( you should not need to if it was working previously), Juniper has a VPN configuration tool online that works wonders. I wish fortinet would offer a similar tool
[link]http://www.juniper.net/support/tools/vpnconfig/[/link]
On the fortogate, just match the proxy-id, and all ipsec and ike proposal to match the SRX. And rekey the PSK.
PCNSE
NSE
StrongSwan
Sorry I couldn't read any of those screen shots , too small ).Could your share the vpn-cfg as-is on the FGT & any diagnostics? Also was the vpn working previous to the sonicwall ( I'm assuming yes on that one ) if you need to redoe the juniper sie ( you should not need to if it was working previously), Juniper has a VPN configuration tool online that works wonders. I wish fortinet would offer a similar tool http://www.juniper.net/support/tools/vpnconfig/ On the fortogate, just match the proxy-id, and all ipsec and ike proposal to match the SRX. And rekey the PSK.
Appreciate for your advise . I uploaded the clearer picture into my dropbox which is here https://www.dropbox.com/sh/c0l6n8m9y43lj51/AADyoO8xxKtTmRLAVj_b6cnfa?dl=0 . I uploaded the config file also. Could you please check and correct me if my setting is wrong. VPN on sonicwall is working , yes . For the juniper site, I don't need to redo but the relevant person over there will redo the setting. I did set the same credential as per configuration of Juniper. Thanks a mil for your help.
Thanks & regards,
Myat
Yusaku
I was bored and here's the matching fgt cfg for a route-base vpn. Just add policies.
config vpn ipsec phase1-interface
edit "SRX"
set interface "wan1"
set dhgrp 2
set proposal 3des-md5
set negotiate-timeout 200
set remote-gw 1.1.1.1
set psksecret MYSECRETHEREFORPSKVPN
set dpd disable
next
end
config vpn ipsec phase2-interface
edit "SRX-p2"
set auto-negotiate enable
set phase1name "SRX"
set proposal 3des-md5
set pfs enable
set dhgrp 2
set dst-subnet 192.168.222.0 255.255.255.0
set keylifeseconds 3600
set src-subnet 192.168.88.10 255.255.255.255
next
end
config router static
edit 550
set device "SRX"
set dst 192.168.222.0/24
next
PCNSE
NSE
StrongSwan
Thanks
I was replying when you sent that cfg in, i found your problem.
1: you defined a rt-based vpn
2: this requires a route
3: you can fix your problem by installing a static route under router static
( see my sample cfg )
Note : ensure the PSK are correct
Than you can use the diag vpn ike gateway ( FGT ) and show security ike security-associations ( SRX ) and confirm layer2
PCNSE
NSE
StrongSwan
emnoc wrote:Thanks
I was replying when you sent that cfg in, i found your problem.
1: you defined a rt-based vpn
2: this requires a route
3: you can fix your problem by installing a static route under router static
( see my sample cfg )
Note : ensure the PSK are correct
Than you can use the diag vpn ike gateway ( FGT ) and show security ike security-associations ( SRX ) and confirm layer2
Hi ,
Thanks much for your help . I already added the static route. I run the two command as you mention above and get the info as per below . Seems like system can't get the second command.
FGT60D4614000706 # diag vpn ike gateway vd: root/0 name: Invera version: 1 interface: wan1 5 addr: 203.126.6.194:500 -> 198.168.207.245:500 created: 5s ago IKE SA: created 1/1 IPsec SA: created 1/1 id/spi: 639 7e96eb44c19a9cda/0000000000000000 direction: responder status: connecting, state 3, started 5s ago FGT60D4614000706 # show security ike security-associations command parse error before 'security' Command fail. Return code -61
Since I already created VPN tunnel, I not need to create the new one as you mentioned above right. PSK are correct. Did you see any incorrect policies for VPN ?
Thanks & Regards,
Myat
The 2nd cmd was meant for SRX
show security ike security-associations
It looks like you phase1 is up, you can check phase2 on FGT
diag vpn tunnel list
and SRX-juniper
show security ipsec security-associations
After that, it's diagnostics flows if you still have problems issues. Ensure firewall-policy(s) are correct. Since your swapping the TZ sonicwall or whatever you have, I highly doubt you need to recfg the SRX branch firewall.
PCNSE
NSE
StrongSwan
emnoc wrote:The 2nd cmd was meant for SRX
show security ike security-associations
It looks like you phase1 is up, you can check phase2 on FGT
diag vpn tunnel list
and SRX-juniper
show security ipsec security-associations
After that, it's diagnostics flows if you still have problems issues. Ensure firewall-policy(s) are correct. Since your swapping the TZ sonicwall or whatever you have, I highly doubt you need to recfg the SRX branch firewall.
Hi appreciate for your help . Fortinet 60D is already configured as I mentioned above . But for the Juniper site still need to redo the configuration, and I also waiting for their confirmation. I will keep you posted again after we test. Thanks again
Thanks & regards,
Myat
Good to hear. Just like the FGT60D, if you use a routed-based vpn on the SRX140, you need a route point out your st.X interface. You should have no problems rebuilding the cfg on the SRX140 using the offline cfg-builder, but if the tunnel was working to the Sonicwall, it should work with the FGT60D if the same address are re-used.
[link]http://www.juniper.net/support/tools/vpnconfig/[/link]
## Begin - VPN Configuration Generator Output ## Interface IP and route for tunnel traffic set interfaces st0.1 family inet set routing-options static route 192.168.88.10/32 next-hop st0.1 ## Security zones, assign interfaces to the zones & host-inbound services for each zone set security zones security-zone fortigate60d interfaces st0.1 set security zones security-zone untrust host-inbound-traffic system-services ike ## Address book entries for each zone set security zones security-zone trust address-book address net-cfgrtt_192-168-222-0--24 192.168.222.0/24 set security zones security-zone fortigate60d address-book address net-cfgrtt_192-168-88-10--32 192.168.88.10/32 ## IKE policy set security ike policy ike-policy-cfgrtt mode main set security ike policy ike-policy-cfgrtt proposal-set compatible set security ike policy ike-policy-cfgrtt pre-shared-key ascii-text "mykey" ## IKE gateway with peer IP address, IKE policy and outgoing interface set security ike gateway ike-gate-cfgrtt ike-policy ike-policy-cfgrtt set security ike gateway ike-gate-cfgrtt address 1.1.1.1 set security ike gateway ike-gate-cfgrtt external-interface ge-0/0/0 set security ike gateway ike-gate-cfgrtt general-ikeid set security ike gateway ike-gate-cfgrtt version v1-only ## IPsec policy set security ipsec policy ipsec-policy-cfgrtt proposal-set compatible ## IPsec vpn set security ipsec vpn ipsec-vpn-cfgrtt ike gateway ike-gate-cfgrtt set security ipsec vpn ipsec-vpn-cfgrtt ike ipsec-policy ipsec-policy-cfgrtt set security ipsec vpn ipsec-vpn-cfgrtt bind-interface st0.1 ## Advance Settings set security ipsec vpn-monitor-options interval 10 set security ipsec vpn-monitor-options threshold 10 set security ipsec vpn ipsec-vpn-cfgrtt establish-tunnels on-traffic set security ipsec policy ipsec-policy-cfgrtt perfect-forward-secrecy keys group2 ## Security policies for tunnel traffic in outbound direction set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match source-address net-cfgrtt_192-168-222-0--24 set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match destination-address net-cfgrtt_192-168-88-10--32 set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match application any set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt then permit ## Security policies for tunnel traffic in inbound direction set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match source-address net-cfgrtt_192-168-88-10--32 set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match destination-address net-cfgrtt_192-168-222-0--24 set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match application any set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt then permit The above would be a route-based vpn cfg for a typical SRX. Just modify the outgoing interface , fwpoliciys and zone names and possible proposal type of compatible which should be okay for 3des-sha1 w/pfs. KenPCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.