Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yusaku
New Contributor

Site to Site VPN with Fortigate 60D <-> Juniper SSG140

I have been trying to setup Site to Site VPN between Forigate 60D and Juniper SSG140

but i can seem to get it working.

 

i already have a IPSec VPN Running using SonicWall <-> Juniper SSG140 and im trying to 

replace the SonicWall with Fortigate.

 

the full details of settings is in the link below, 

as this forum does not allow me to attach more than 1 image. i have consolidated into a PDF

and shared out from dropbox.

https://www.dropbox.com/s/6vfkasdkqa4euj1/Site2Site%20VPN.pdf?dl=0

 

it would be great if you can identify what is missing from my setting.

Thanks!

8 REPLIES 8
emnoc
Esteemed Contributor III

Sorry I couldn't read any of those screen shots , too small ).Could your share the  vpn-cfg as-is on the FGT & any diagnostics? Also was the vpn working previous to the sonicwall ( I'm assuming yes on that one )

 

if you need to redoe the juniper sie ( you should not need to if it was working previously), Juniper has a VPN configuration tool online that works wonders. I wish fortinet would offer a similar tool

 

[link]http://www.juniper.net/support/tools/vpnconfig/[/link]

 

On the  fortogate, just match the proxy-id, and all ipsec and ike proposal to match the  SRX. And rekey the PSK.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
yusaku
New Contributor

Sorry I couldn't read any of those screen shots , too small ).Could your share the  vpn-cfg as-is on the FGT & any diagnostics? Also was the vpn working previous to the sonicwall ( I'm assuming yes on that one )   if you need to redoe the juniper sie ( you should not need to if it was working previously), Juniper has a VPN configuration tool online that works wonders. I wish fortinet would offer a similar tool   http://www.juniper.net/support/tools/vpnconfig/   On the  fortogate, just match the proxy-id, and all ipsec and ike proposal to match the  SRX. And rekey the PSK.

 

Appreciate for your advise . I uploaded the clearer picture into my dropbox which is here https://www.dropbox.com/sh/c0l6n8m9y43lj51/AADyoO8xxKtTmRLAVj_b6cnfa?dl=0 . I uploaded the config file also. Could you please check and correct me if my setting is wrong. VPN on sonicwall is working , yes . For the juniper site, I don't need to redo but the relevant person over there will redo the setting. I did set the same credential as per configuration of Juniper. Thanks a mil for your help.

 

Thanks & regards,

Myat

 

emnoc
Esteemed Contributor III

Yusaku

 

I was bored and here's the matching fgt cfg for a route-base vpn. Just add policies.

 

config vpn ipsec phase1-interface

edit "SRX"

        set interface "wan1"

        set dhgrp 2

        set proposal 3des-md5

        set negotiate-timeout 200

        set remote-gw 1.1.1.1

        set psksecret MYSECRETHEREFORPSKVPN

        set dpd disable

    next

end

 

config vpn ipsec phase2-interface

    edit "SRX-p2"

        set auto-negotiate enable

        set phase1name "SRX"

        set proposal 3des-md5

        set pfs enable

        set dhgrp 2

        set dst-subnet 192.168.222.0 255.255.255.0

        set keylifeseconds 3600

        set src-subnet 192.168.88.10 255.255.255.255

    next

end

 

 

 

 

 

config router static

     edit 550

        set device "SRX"

        set dst 192.168.222.0/24

    next

  

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

Thanks

 

I was replying when you sent that cfg in, i found your problem.

 

1: you defined a rt-based vpn

 

2: this requires a route

 

3: you can fix your problem by installing a static route  under router static

 

( see my sample cfg )

 

 

Note : ensure the PSK are correct

 

Than you can use the diag vpn ike gateway ( FGT ) and show security ike security-associations  ( SRX ) and confirm layer2

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
yusaku
New Contributor

emnoc wrote:

Thanks

 

I was replying when you sent that cfg in, i found your problem.

 

1: you defined a rt-based vpn

 

2: this requires a route

 

3: you can fix your problem by installing a static route  under router static

 

( see my sample cfg )

 

 

Note : ensure the PSK are correct

 

Than you can use the diag vpn ike gateway ( FGT ) and show security ike security-associations  ( SRX ) and confirm layer2

 

Hi ,

 

Thanks much for your help . I already added the static route. I run the two command as you mention above and get the info as per below . Seems like system can't get the second command.

 

FGT60D4614000706 # diag vpn ike gateway vd: root/0 name: Invera version: 1 interface: wan1 5 addr: 203.126.6.194:500 -> 198.168.207.245:500 created: 5s ago IKE SA: created 1/1 IPsec SA: created 1/1 id/spi: 639 7e96eb44c19a9cda/0000000000000000 direction: responder status: connecting, state 3, started 5s ago FGT60D4614000706 # show security ike security-associations command parse error before 'security' Command fail. Return code -61

Since I already created VPN tunnel, I not need to create the new one as you mentioned above right. PSK are correct. Did you see any incorrect policies for VPN ? 

 

Thanks & Regards,

Myat

 

emnoc
Esteemed Contributor III

The 2nd cmd was meant for SRX

 

show security ike security-associations

 

 

It looks like you  phase1 is up, you can check phase2 on FGT

 

diag vpn tunnel list

 

and SRX-juniper

 

show security ipsec security-associations

 

After that, it's diagnostics flows if you still have problems issues. Ensure firewall-policy(s) are correct. Since your swapping the TZ sonicwall or whatever you have, I highly doubt you need to recfg the SRX branch firewall.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
yusaku
New Contributor

emnoc wrote:

The 2nd cmd was meant for SRX

 

show security ike security-associations

 

 

It looks like you  phase1 is up, you can check phase2 on FGT

 

diag vpn tunnel list

 

and SRX-juniper

 

show security ipsec security-associations

 

After that, it's diagnostics flows if you still have problems issues. Ensure firewall-policy(s) are correct. Since your swapping the TZ sonicwall or whatever you have, I highly doubt you need to recfg the SRX branch firewall.

 

 

Hi appreciate for your help . Fortinet 60D is already configured as I mentioned above . But for the Juniper site still need to redo the configuration, and I also waiting for their confirmation. I will keep you posted again after we test. Thanks again 

 

Thanks & regards,

Myat

emnoc
Esteemed Contributor III

Good to hear. Just like the FGT60D, if you  use a routed-based vpn on the SRX140, you need a route point out your st.X interface.  You should have no problems rebuilding the cfg on the  SRX140 using the offline cfg-builder, but if the tunnel was working to the  Sonicwall, it should work with the  FGT60D if the same address are re-used.

 

[link]http://www.juniper.net/support/tools/vpnconfig/[/link]

## Begin - VPN Configuration Generator Output ## Interface IP and route for tunnel traffic set interfaces st0.1 family inet set routing-options static route 192.168.88.10/32 next-hop st0.1 ## Security zones, assign interfaces to the zones & host-inbound services for each zone set security zones security-zone fortigate60d interfaces st0.1 set security zones security-zone untrust host-inbound-traffic system-services ike ## Address book entries for each zone set security zones security-zone trust address-book address net-cfgrtt_192-168-222-0--24 192.168.222.0/24 set security zones security-zone fortigate60d address-book address net-cfgrtt_192-168-88-10--32 192.168.88.10/32 ## IKE policy set security ike policy ike-policy-cfgrtt mode main set security ike policy ike-policy-cfgrtt proposal-set compatible set security ike policy ike-policy-cfgrtt pre-shared-key ascii-text "mykey" ## IKE gateway with peer IP address, IKE policy and outgoing interface set security ike gateway ike-gate-cfgrtt ike-policy ike-policy-cfgrtt set security ike gateway ike-gate-cfgrtt address 1.1.1.1 set security ike gateway ike-gate-cfgrtt external-interface ge-0/0/0 set security ike gateway ike-gate-cfgrtt general-ikeid set security ike gateway ike-gate-cfgrtt version v1-only ## IPsec policy set security ipsec policy ipsec-policy-cfgrtt proposal-set compatible ## IPsec vpn set security ipsec vpn ipsec-vpn-cfgrtt ike gateway ike-gate-cfgrtt set security ipsec vpn ipsec-vpn-cfgrtt ike ipsec-policy ipsec-policy-cfgrtt set security ipsec vpn ipsec-vpn-cfgrtt bind-interface st0.1 ## Advance Settings set security ipsec vpn-monitor-options interval 10 set security ipsec vpn-monitor-options threshold 10 set security ipsec vpn ipsec-vpn-cfgrtt establish-tunnels on-traffic set security ipsec policy ipsec-policy-cfgrtt perfect-forward-secrecy keys group2 ## Security policies for tunnel traffic in outbound direction set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match source-address net-cfgrtt_192-168-222-0--24 set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match destination-address net-cfgrtt_192-168-88-10--32 set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt match application any set security policies from-zone trust to-zone fortigate60d policy trust-fortigate60d-cfgrtt then permit ## Security policies for tunnel traffic in inbound direction set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match source-address net-cfgrtt_192-168-88-10--32 set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match destination-address net-cfgrtt_192-168-222-0--24 set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt match application any set security policies from-zone fortigate60d to-zone trust policy fortigate60d-trust-cfgrtt then permit      The above would be a route-based vpn cfg for a typical SRX. Just modify the outgoing interface , fwpoliciys and zone  names and  possible  proposal type of  compatible which should be okay for 3des-sha1 w/pfs.   Ken  

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors