Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fullmoon
Contributor III

ospf vpn fortigate -juniper

pretty sure everyone done already site2site vpn bet juniper (small box) and fortigate.

heres my problem vpn interface mode working fine, however when we tried to setup ipsec vpn via ospf we cant see ospf in routing monitor. hope anyone here could post working config/screenshot of juniper and fortigate. thanks

Fortigate Newbie

Fortigate Newbie
8 REPLIES 8
ashukla_FTNT
Staff
Staff

Is the opsf neighborship coming up?

Check the mtu of vpn interface on our side and juniper side (mostly our side will be 1436)

I believe you are running ospf over ipsec.

 

emnoc
Esteemed Contributor III

The diag debug flow is your friend.

 

Also just like with Fortigate , we are assuming the  juniper is in interface mode. Have you done a diag sniffer on the FGT and a traceoption on the SRX?

 

e.g

 

  set security flow traceoptions file mybadtunnel

  set security flow traceoptions flag basic-datapath

  set security flow traceoptions packet-filter MatchTraffic source-prefi x.x.x.x/32 destination-prefix y.y.y.y/32

   commit

( x.x.x.x <>y.y.y.y ) would be your tunnel assigned address for the  ospf neighbors )

 

and then review the trace;

 

    show log mybadtunnel

 

You can get creative and execute shell and use tcpdump on the st.X interface also ;)

 

Make sure you have define the ospf area correct and neighbors. These should be configured in a pt2pt vrs multicaccess.

 

 

 

 

 

Ken

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Fullmoon
Contributor III

Hi folks apology for late update. here's the ospf config of fortigate and juniper settings. ipsec vpn is working properly

Fortigate Newbie

Fortigate Newbie
Fullmoon

juniper ospf

Fortigate Newbie

Fortigate Newbie
Fullmoon

fortigate routing monitor

 

Fortigate Newbie

Fortigate Newbie
emnoc
Esteemed Contributor III

Op, you really need to get a packet capture/traceoptions  on multicast group 224.0.0.5. If the hello/deadtime/mtu/auth/ospftype are mismatched , than it will clearly be present in the  pcap.

 

On the fortigate you can't set the  mtu on a interface-ipsec. On the  juniper I would start by looking at the interface  mtu

 

show interface <name> extensive detail

 

and run a trace

 

set protocol ospf traceoption file myospf

set protocol ospf traceoption flag all

 

But you need to get a pcap or trace, that would be your best for double checking if you have any of the above mismatches.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ashukla_FTNT
Staff
Staff

Following steps are required:

 

On Fortigate:

1)Make sure you are using 0.0.0.0 source and 0.0.0.0 destination quick mode selector in vpn

2) Give an ip to tunnel interface:

     edit "(name of the tunnel interface to juniper)"        

        set ip 192.168.1.1 255.255.255.252         set allowaccess ping https ssh         set type tunnel         set remote-ip 192.168.1.2 (This ip should be assigned on Juniper tunnel interface)        

3) It is better to ignore mtu for ospf (if it is difficult to match mtu on both sides)

     config ospf-interface             edit "xxx"                 set interface "name of tunnel interface"                 set mtu-ignore enable                 set network-type point-to-point

 

On Juniper:

 

1) Quick mode selector is 0.0.0.0

2) St interface ip is set to 192.168.1.2/255.255.255.252

3) mtu-ignore enabled under ospf

4) Make sure either host inbound traffic allows all or ospf on zone 

 

If you still face the problem:

get router info ospf neighbor 

diagnose ip router ospf all

diag debug enable

 

 

Run similar traceoptions on SRX

 

Though I am pretty sure if  you configure the above ospf should work.

Also the reason we have to use 0.0.0.0 as quick mode selector because the ospf packet will come on Fortigate with source ip as tunnel interface ip of juniper which will not be part of quick mode selector so it will get dropped by flow.

Juniper doesn't care about it though.

 

 

Fullmoon

Kudos to ashukla and to the rest of the forti expert for sharing their ideas. OSPF is now working ;)

Fortigate Newbie

Fortigate Newbie
Labels
Top Kudoed Authors