| Introduction | This article describes how to configure an IPSec VPN on a FortiGate unit to work with a Juniper Networks Secure Services Gateway (SSG). The example shown here is route-based, but a policy-based VPN is also possible. |
| Components | - FortiGate unit running FortiOS v3.0 firmware, MR5 or later
- Juniper Networks SSG with firmware version 6.0.0r3.0
|
| Prerequisites | - The FortiGate unit and the Juniper SSG unit must be in NAT mode.
|
| Configure FortiGate VPN Phase 1 | To configure using the Web-based Manager- Go to VPN > IPSec > Auto-Key and select Phase 1.
- Enter the following:
| Name | VPN name: toSSG, for example | | Remote Gateway | Static IP Address | | IP Address | the public IP address of the Juniper appliance,
172.30.69.108, for example | | Local Interface | the interface that connects to the remote VPN: WAN1 | | Mode | Main (default) | | Authentication Method | Preshared Key | | Pre-shared Key | same preshared key configured on the Juniper appliance |
- Select Advanced and enter the following:
| Enable IPSec Interface Mode | Enable | | P1 Proposal | 1 - Encryption 3DES, Authentication SHA1 (default)
Delete proposal 2 | | DH Group | 2 | | Keylife | 28800 | | Nat-traversal | Enable | | Dead Peer Detection | Enable |
- Select OK.
To configure using the CLI:Using the example configuration, enter the following commands: config vpn ipsec phase1-interface
edit "toSSG"
set interface wan1
set dpd enable
set dhgrp 2
set proposal 3des-sha1
set keylife 28800
set nattraversal enable
set remote-gw 172.30.69.108
set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
end
|
| Configure FortiGate VPN Phase 2 | To configure using the Web-based Manager- Go to VPN > IPSec > Auto-Key and select Phase 2.
- Enter the following:
| Name | A name for the VPN Phase 2 configuration: Tunnel-FG-SSG, for example | | Phase 1 | Phase 1 configuration name: toSSG |
- Select Advanced and enter the following:
| P2 Proposal | 1 - Encryption 3DES, Authentication SHA1
Delete proposal 2 | | Enable replay detection | Enable | | Enable perfect forward secrecy | Enable | | DH Group | 2 | | Keylife | 1800 seconds | | Autokey Keep Alive | Disable |
- Select OK.
To configure using the CLIUsing the example configuration, enter the following commands: config vpn ipsec phase2-interface
edit Tunnel-FG-SSG
set dhgrp 2
set keepalive disable
set phase1name toSSG
set proposal 3des-sha1
set pfs enable
set replay enable
set keylife-type seconds
set keylifeseconds 1800
end
|
| Configure FortiGate Firewall Addresses | Create firewall addresses for the private networks at either end of the VPN. To configure using the Web-based Manager- Go to Firewall > Address and select Create New.
- Enter the following:
| Address Name | A name for the address. For example:
"LocalLAN" for the network behind the FortiGate unit
"Site2_net" for the network behind the Juniper appliance | | Type | Subnet/IP Range | | Subnet/IP Range | The network address and subnet mask. For example,
Enter "10.10.10.0 255.255.255.0" for LocalLAN
Enter "192.168.2.0 255.255.255.0" for Site2_net |
- Select OK.
To configure using the CLIUsing the example configuration, enter the following commands:config firewall address
edit "LocalLAN"
set subnet 10.10.10.0 255.255.255.0
next
edit "Site2_net"
set subnet 192.168.2.0 255.255.255.0
end
|
| Configure FortiGate Outgoing Firewall Policy | The outgoing policy allows hosts on the network behind the FortiGate unit to communicate with hosts behind the Juniper appliance. To configure using the Web-based Manager- Go to Firewall > Policy and select Create New.
- Enter the following and select OK:
| Source Interface/Zone | The interface connected to the local network: internal | | Source Address | The firewall address of the local network: LocalLAN | | Destination Interface/Zone | The interface that connects to the remote network: toSSG
| | Destination Address | The firewall address of the remote network: Site2_net | | Schedule | always | | Service | ANY | | Action | ACCEPT |
To configure using the CLIUsing the example configuration, enter the following commands: config firewall policy
edit 1
set srcintf internal
set srcaddr LocalLAN
set dstintf toSSG
set dstaddr Site2_net
set action accept
set schedule always
set service ANY
end
To prevent unencrypted data from leaving the FortiGate, refer to KB article:-FortiOS Protecting data for muliple subnets when IPSec Tunnel Fails |
| Configure FortiGate Incoming Firewall Policy | The incoming policy allows hosts on the network behind the Juniper appliance to communicate with hosts behind the FortiGate unit. To configure using the Web-based Manager- Go to Firewall > Policy and select Create New.
- Enter the following and select OK:
| Source Interface/Zone | The interface that connects to the remote network: toSSG
| | Source Address | The firewall address of the remote network: Site2_net | | Destination Interface/Zone | The interface connected to the local network: internal | | Destination Address | The firewall address of the local network: LocalLAN | | Schedule | always | | Service | ANY | | Action | ACCEPT |
To configure using the CLIUsing the example configuration, enter the following commands: config firewall policy
edit 2
set srcintf toSSG
set srcaddr Site2_net
set dstintf internal
set dstaddr LocalLAN
set action accept
set schedule always
set service ANY
end
|
| Configure Juniper SSG interfaces | This Juniper SSG appliance is configured using its WebUI. Refer to Juniper documentation for detailed information. To configure Juniper SSG interfaces - Go to Network > Interfaces.
- Select Edit for the interface that connects to the LAN.
- Enter the following:
| Zone Name | Trust | | Static IP | Select | | IP Address/Netmask | Enter the address of the interface that connects to the LAN: 192.168.2.99, for example. |
- Select Apply.
- Select Internet Mode NAT and then select OK.
- Go to Network > Interfaces.
- Select Edit for the interface that connects to the remote VPN gateway.
- Enter the following:
| Zone Name | Untrust | | Static IP | Select | | IP Address/Netmask | Enter the address of the remote VPN gateway: 202.85.110.138, for example. |
- Select Apply.
- Select Internet Mode NAT and then select OK.
To configure Juniper SSG tunnel interface - Go to Network > Interfaces.
- Select Tunnel IF and then select New.
- Enter the following and select Apply:
| Tunnel Interface Name | Enter a name: tunnel.1, for example. | | Zone (VR) | Select Untrust (trust-vr). | | Unnumbered | Select | | Interface | Select the interface that connects to the remote VPN gateway: ethernet3, for example. |
|
| Configure Juniper SSG VPN settings | To configure Juniper SSG VPN - Go to VPNs > AutoKey Advanced > Gateway and select New.
- Enter the following and select OK:
| Gateway Name | Enter a name: toFortiGate, for example. | | Security Level | Custom | | Remote Gateway Type | Static IP Address | | Static IP Address | The FortiGate unit VPN gateway address, 172.16.110.138 | | Preshared Key | The same preshared key value as configured on the FortiGate unit. |
- Select Advanced.
- Enter the following and select Return:
| Security Level | Custom | | Phase 1 Proposal | 3des-sha | | Mode (Initiator) | Main (ID Protection) |
|
| Configure Juniper SSG routing | You need to configure routing to send and receive traffic for the remote private network through the VPN tunnel. To configure the routes for VPN traffic - Go to Network > Routing > Routing Entries > trust-vr.
- Enter the following and select OK:
| Network Address/Netmask | 0.0.0.0/0 | | Gateway Interface | The interface that connects to the remote VPN gateway: ethernet3, for example. | | Gateway IP Address | The IP address of the remote Gateway Interface, 172.16.110.138, for example. |
- Go to Network > Routing > Routing Entries > trust-vr.
- Enter the following and select OK:
| Network Address/Netmask | The address of the remote LAN, 192.168.2.0/24 for example. | | Gateway Interface | The tunnel interface: Tunnel.1, for example. | | Gateway IP Address | 0.0.0.0 |
|
| Configure Juniper SSG firewall policies | To configure firewall addresses - Go to Policy > Policy Elements > Addresses > List > New.
- Enter the following, then select OK:
| Address Name | A name for the local LAN, Site1_LAN for example. | | IP Address | The IP Address for the local LAN, 10.10.10.254/24 for example. | | Zone | Trust |
- Go to Policy > Policy Elements > Addresses > List > New.
- Enter the following, then select OK:
| Address Name | A name for the remote LAN, Site2_LAN for example. | | IP Address | The IP Address for the remote LAN, 192.168.2.0/24 for example. | | Zone | Untrust |
To configure firewall policies - Go to Policy > Policies.
- Enter the following, then select OK:
| From | Trust | | To | Untrust | | Name | A name for the policy, Site1toSite2 for example. | | Service | ANY | | Action | Permit |
- Go to Policy > Policies.
- Enter the following, then select OK:
| From | Untrust | | To | Trust | | Name | A name for the policy, Site2toSite1 for example. | | Service | ANY | | Action | Permit |
|
| Test the VPN from the FortiGate unit | - Configure the ping function to originate from the Internal interface.
execute ping-options source 10.10.10.6
- Ping the private network behind the Juniper SS unit.
exec ping 192.168.2.99
|
| Test the VPN from the Juniper SSG unit | - Ping the private network behind the FortiGate unit.
ping 10.10.10.6 from ethernet0/0
- Type the escape sequence to end.
|
| Troubleshooting | There are several tools available to troubleshoot VPNs:VPN monitors- VPN > Monitor on the FortiGate unit.
- VPNs > Monitor Status on the Juniper SSG unit.
Event Logs- Log&Report > Log Access on the FortiGate unit.
- Reports > System Log > Event on the Juniper SSG unit.
Diagnostic commands- FortiGate unit -
diag vpn tunnel list - Juniper SSG -
get sa
|