Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiPhish
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Site to Site VPN with Fortigate 60D <-> Junipe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN with Fortigate 60D <-> Juniper SSG140
I have been trying to setup Site to Site VPN between Forigate 60D and Juniper SSG140
but i can seem to get it working.
i already have a IPSec VPN Running using SonicWall <-> Juniper SSG140 and im trying to
replace the SonicWall with Fortigate.
the full details of settings is in the link below,
as this forum does not allow me to attach more than 1 image. i have consolidated into a PDF
and shared out from dropbox.
https://www.dropbox.com/s/6vfkasdkqa4euj1/Site2Site%20VPN.pdf?dl=0
it would be great if you can identify what is missing from my setting.
Thanks!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I couldn't read any of those screen shots , too small ).Could your share the vpn-cfg as-is on the FGT & any diagnostics? Also was the vpn working previous to the sonicwall ( I'm assuming yes on that one )
if you need to redoe the juniper sie ( you should not need to if it was working previously), Juniper has a VPN configuration tool online that works wonders. I wish fortinet would offer a similar tool
[link]http://www.juniper.net/support/tools/vpnconfig/[/link]
On the fortogate, just match the proxy-id, and all ipsec and ike proposal to match the SRX. And rekey the PSK.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I couldn't read any of those screen shots , too small ).Could your share the vpn-cfg as-is on the FGT & any diagnostics? Also was the vpn working previous to the sonicwall ( I'm assuming yes on that one ) if you need to redoe the juniper sie ( you should not need to if it was working previously), Juniper has a VPN configuration tool online that works wonders. I wish fortinet would offer a similar tool http://www.juniper.net/support/tools/vpnconfig/ On the fortogate, just match the proxy-id, and all ipsec and ike proposal to match the SRX. And rekey the PSK.
Appreciate for your advise . I uploaded the clearer picture into my dropbox which is here https://www.dropbox.com/sh/c0l6n8m9y43lj51/AADyoO8xxKtTmRLAVj_b6cnfa?dl=0 . I uploaded the config file also. Could you please check and correct me if my setting is wrong. VPN on sonicwall is working , yes . For the juniper site, I don't need to redo but the relevant person over there will redo the setting. I did set the same credential as per configuration of Juniper. Thanks a mil for your help.
Thanks & regards,
Myat
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yusaku
I was bored and here's the matching fgt cfg for a route-base vpn. Just add policies.
config vpn ipsec phase1-interface
edit "SRX"
set interface "wan1"
set dhgrp 2
set proposal 3des-md5
set negotiate-timeout 200
set remote-gw 1.1.1.1
set psksecret MYSECRETHEREFORPSKVPN
set dpd disable
next
end
config vpn ipsec phase2-interface
edit "SRX-p2"
set auto-negotiate enable
set phase1name "SRX"
set proposal 3des-md5
set pfs enable
set dhgrp 2
set dst-subnet 192.168.222.0 255.255.255.0
set keylifeseconds 3600
set src-subnet 192.168.88.10 255.255.255.255
next
end
config router static
edit 550
set device "SRX"
set dst 192.168.222.0/24
next
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
I was replying when you sent that cfg in, i found your problem.
1: you defined a rt-based vpn
2: this requires a route
3: you can fix your problem by installing a static route under router static
( see my sample cfg )
Note : ensure the PSK are correct
Than you can use the diag vpn ike gateway ( FGT ) and show security ike security-associations ( SRX ) and confirm layer2
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:Thanks
I was replying when you sent that cfg in, i found your problem.
1: you defined a rt-based vpn
2: this requires a route
3: you can fix your problem by installing a static route under router static
( see my sample cfg )
Note : ensure the PSK are correct
Than you can use the diag vpn ike gateway ( FGT ) and show security ike security-associations ( SRX ) and confirm layer2
Hi ,
Thanks much for your help . I already added the static route. I run the two command as you mention above and get the info as per below . Seems like system can't get the second command.
FGT60D4614000706 # diag vpn ike gateway vd: root/0 name: Invera version: 1 interface: wan1 5 addr: 203.126.6.194:500 -> 198.168.207.245:500 created: 5s ago IKE SA: created 1/1 IPsec SA: created 1/1 id/spi: 639 7e96eb44c19a9cda/0000000000000000 direction: responder status: connecting, state 3, started 5s ago FGT60D4614000706 # show security ike security-associations command parse error before 'security' Command fail. Return code -61
Since I already created VPN tunnel, I not need to create the new one as you mentioned above right. PSK are correct. Did you see any incorrect policies for VPN ?
Thanks & Regards,
Myat
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 2nd cmd was meant for SRX
show security ike security-associations
It looks like you phase1 is up, you can check phase2 on FGT
diag vpn tunnel list
and SRX-juniper
show security ipsec security-associations
After that, it's diagnostics flows if you still have problems issues. Ensure firewall-policy(s) are correct. Since your swapping the TZ sonicwall or whatever you have, I highly doubt you need to recfg the SRX branch firewall.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:The 2nd cmd was meant for SRX
show security ike security-associations
It looks like you phase1 is up, you can check phase2 on FGT
diag vpn tunnel list
and SRX-juniper
show security ipsec security-associations
After that, it's diagnostics flows if you still have problems issues. Ensure firewall-policy(s) are correct. Since your swapping the TZ sonicwall or whatever you have, I highly doubt you need to recfg the SRX branch firewall.
Hi appreciate for your help . Fortinet 60D is already configured as I mentioned above . But for the Juniper site still need to redo the configuration, and I also waiting for their confirmation. I will keep you posted again after we test. Thanks again
Thanks & regards,
Myat
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to hear. Just like the FGT60D, if you use a routed-based vpn on the SRX140, you need a route point out your st.X interface. You should have no problems rebuilding the cfg on the SRX140 using the offline cfg-builder, but if the tunnel was working to the Sonicwall, it should work with the FGT60D if the same address are re-used.
[link]http://www.juniper.net/support/tools/vpnconfig/[/link]
## Begin - VPN Configuration Generator Output ## Interface IP and route for tunnel traffic set interfaces st0.1 family inet set routing-options static route 192.168.88.10/32 next-hop st0.1 ## Security zones, assign interfaces to the zones & host-inbound services for each zone set security zones security-zone fortigate60d interfaces st0.1 set security zones security-zone untrust host-inbound-traffic system-services ike ## Address book entries for each zone set security zones security-zone trust address-book address net-cfgrtt_192-168-222-0--24 192.168.222.0/24 set security zones security-zone fortigate60d address-book address net-cfgrtt_192-168-88-10--32 192.168.88.10/32 ## IKE policy set security ike policy ike-policy-cfgrtt mode main set security ike policy ike-policy-cfgrtt proposal-set compatible set security ike policy ike-policy-cfgrtt pre-shared-key ascii-text "mykey" ## IKE gateway with peer IP address, IKE policy and outgoing interface set security ike gateway ike-gate-cfgrtt ike-policy ike-policy-cfgrtt set security ike gateway ike-gate-cfgrtt address 1.1.1.1 set security ike gateway ike-gate-cfgrtt external-interface ge-0/0/0 set security ike gateway ike-gate-cfgrtt general-ikeid set security ike gateway ike-gate-cfgrtt version v1-only ## IPsec policy set security ipsec policy ipsec-policy-cfgrtt proposal-set compatible ## IPsec vpn set security ipsec vpn ipsec-vpn-cfgrtt ike gateway ike-gate-cfgrtt set security ipsec vpn ipsec-vpn-cfgrtt ike ipsec-policy ipsec-policy-cfgrtt set security ipsec vpn ipsec-vpn-cfgrtt bind-interface st0.1 ## Advance Settings set security ipsec vpn-monitor-options interval 10 set security ipsec vpn-monitor-options threshold 10 set security ipsec vpn ipsec-vpn-cfgrtt establish-tunnels on-traffic set security ipsec policy ipsec-policy-cfgrtt perfect-forward-secrecy keys group2 ## Security policies for tunnel traffic in outbound direction set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match source-address net-cfgrtt_192-168-222-0--24 set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match destination-address net-cfgrtt_192-168-88-10--32 set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match application any set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt then permit ## Security policies for tunnel traffic in inbound direction set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match source-address net-cfgrtt_192-168-88-10--32 set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match destination-address net-cfgrtt_192-168-222-0--24 set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match application any set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt then permit The above would be a route-based vpn cfg for a typical SRX. Just modify the outgoing interface , fwpoliciys and zone names and possible proposal type of compatible which should be okay for 3des-sha1 w/pfs. KenPCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Best way to Eval Fortigate 469 Views
- Export configuration in a structured data... 671 Views
- Users do not get VLANs DHCP... 752 Views
- Office365 apps hang at launch for... 1345 Views
- RIP not functioning with Juniper router 1407 Views
Labels
-
FortiGate
8,042 -
FortiClient
1,611 -
5.2
801 -
FortiManager
679 -
5.4
639 -
FortiAnalyzer
516 -
FortiAP
425 -
FortiSwitch
424 -
6.0
416 -
FortiClient EMS
364 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
188 -
SSL-VPN
176 -
FortiNAC
161 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiCloud Products
94 -
FortiSIEM
92 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
40 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
34 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
25 -
Authentication
25 -
FortiWAN
24 -
FortiConverter
24 -
RADIUS
24 -
FortiGate v5.2
23 -
VDOM
23 -
FortiLink
23 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Application control
18 -
FortiMonitor
16 -
Traffic shaping
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Admin
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
IPS signature
8 -
System settings
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
DLP sensor
4 -
Email filter profile
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
Application signature
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1475 | |
| 1007 | |
| 749 | |
| 443 | |
| 207 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.