Introduction | This article describes how to configure an IPSec VPN on a FortiGate unit to work with a Juniper Networks Secure Services Gateway (SSG). The example shown here is route-based, but a policy-based VPN is also possible. |
Components | - FortiGate unit running FortiOS v3.0 firmware, MR5 or later
- Juniper Networks SSG with firmware version 6.0.0r3.0
|
Prerequisites | - The FortiGate unit and the Juniper SSG unit must be in NAT mode.
|
Configure FortiGate VPN Phase 1 | To configure using the Web-based Manager- Go to VPN > IPSec > Auto-Key and select Phase 1.
- Enter the following:
Name | VPN name: toSSG, for example | Remote Gateway | Static IP Address | IP Address | the public IP address of the Juniper appliance, 172.30.69.108, for example | Local Interface | the interface that connects to the remote VPN: WAN1 | Mode | Main (default) | Authentication Method | Preshared Key | Pre-shared Key | same preshared key configured on the Juniper appliance |
- Select Advanced and enter the following:
Enable IPSec Interface Mode | Enable | P1 Proposal | 1 - Encryption 3DES, Authentication SHA1 (default) Delete proposal 2 | DH Group | 2 | Keylife | 28800 | Nat-traversal | Enable | Dead Peer Detection | Enable |
- Select OK.
To configure using the CLI:Using the example configuration, enter the following commands: config vpn ipsec phase1-interface
edit "toSSG"
set interface wan1
set dpd enable
set dhgrp 2
set proposal 3des-sha1
set keylife 28800
set nattraversal enable
set remote-gw 172.30.69.108
set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
end
|
Configure FortiGate VPN Phase 2 | To configure using the Web-based Manager- Go to VPN > IPSec > Auto-Key and select Phase 2.
- Enter the following:
Name | A name for the VPN Phase 2 configuration: Tunnel-FG-SSG, for example | Phase 1 | Phase 1 configuration name: toSSG |
- Select Advanced and enter the following:
P2 Proposal | 1 - Encryption 3DES, Authentication SHA1 Delete proposal 2 | Enable replay detection | Enable | Enable perfect forward secrecy | Enable | DH Group | 2 | Keylife | 1800 seconds | Autokey Keep Alive | Disable |
- Select OK.
To configure using the CLIUsing the example configuration, enter the following commands: config vpn ipsec phase2-interface
edit Tunnel-FG-SSG
set dhgrp 2
set keepalive disable
set phase1name toSSG
set proposal 3des-sha1
set pfs enable
set replay enable
set keylife-type seconds
set keylifeseconds 1800
end
|
Configure FortiGate Firewall Addresses | Create firewall addresses for the private networks at either end of the VPN. To configure using the Web-based Manager- Go to Firewall > Address and select Create New.
- Enter the following:
Address Name | A name for the address. For example: "LocalLAN" for the network behind the FortiGate unit "Site2_net" for the network behind the Juniper appliance | Type | Subnet/IP Range | Subnet/IP Range | The network address and subnet mask. For example, Enter "10.10.10.0 255.255.255.0" for LocalLAN Enter "192.168.2.0 255.255.255.0" for Site2_net |
- Select OK.
To configure using the CLIUsing the example configuration, enter the following commands:config firewall address
edit "LocalLAN"
set subnet 10.10.10.0 255.255.255.0
next
edit "Site2_net"
set subnet 192.168.2.0 255.255.255.0
end
|
Configure FortiGate Outgoing Firewall Policy | The outgoing policy allows hosts on the network behind the FortiGate unit to communicate with hosts behind the Juniper appliance. To configure using the Web-based Manager- Go to Firewall > Policy and select Create New.
- Enter the following and select OK:
Source Interface/Zone | The interface connected to the local network: internal | Source Address | The firewall address of the local network: LocalLAN | Destination Interface/Zone | The interface that connects to the remote network: toSSG
| Destination Address | The firewall address of the remote network: Site2_net | Schedule | always | Service | ANY | Action | ACCEPT |
To configure using the CLIUsing the example configuration, enter the following commands: config firewall policy
edit 1
set srcintf internal
set srcaddr LocalLAN
set dstintf toSSG
set dstaddr Site2_net
set action accept
set schedule always
set service ANY
end
To prevent unencrypted data from leaving the FortiGate, refer to KB article:- FortiOS Protecting data for muliple subnets when IPSec Tunnel Fails |
Configure FortiGate Incoming Firewall Policy | The incoming policy allows hosts on the network behind the Juniper appliance to communicate with hosts behind the FortiGate unit. To configure using the Web-based Manager- Go to Firewall > Policy and select Create New.
- Enter the following and select OK:
Source Interface/Zone | The interface that connects to the remote network: toSSG
| Source Address | The firewall address of the remote network: Site2_net | Destination Interface/Zone | The interface connected to the local network: internal | Destination Address | The firewall address of the local network: LocalLAN | Schedule | always | Service | ANY | Action | ACCEPT |
To configure using the CLIUsing the example configuration, enter the following commands: config firewall policy
edit 2
set srcintf toSSG
set srcaddr Site2_net
set dstintf internal
set dstaddr LocalLAN
set action accept
set schedule always
set service ANY
end
|
Configure Juniper SSG interfaces | This Juniper SSG appliance is configured using its WebUI. Refer to Juniper documentation for detailed information. To configure Juniper SSG interfaces - Go to Network > Interfaces.
- Select Edit for the interface that connects to the LAN.
- Enter the following:
Zone Name | Trust | Static IP | Select | IP Address/Netmask | Enter the address of the interface that connects to the LAN: 192.168.2.99, for example. |
- Select Apply.
- Select Internet Mode NAT and then select OK.
- Go to Network > Interfaces.
- Select Edit for the interface that connects to the remote VPN gateway.
- Enter the following:
Zone Name | Untrust | Static IP | Select | IP Address/Netmask | Enter the address of the remote VPN gateway: 202.85.110.138, for example. |
- Select Apply.
- Select Internet Mode NAT and then select OK.
To configure Juniper SSG tunnel interface - Go to Network > Interfaces.
- Select Tunnel IF and then select New.
- Enter the following and select Apply:
Tunnel Interface Name | Enter a name: tunnel.1, for example. | Zone (VR) | Select Untrust (trust-vr). | Unnumbered | Select | Interface | Select the interface that connects to the remote VPN gateway: ethernet3, for example. |
|
Configure Juniper SSG VPN settings | To configure Juniper SSG VPN - Go to VPNs > AutoKey Advanced > Gateway and select New.
- Enter the following and select OK:
Gateway Name | Enter a name: toFortiGate, for example. | Security Level | Custom | Remote Gateway Type | Static IP Address | Static IP Address | The FortiGate unit VPN gateway address, 172.16.110.138 | Preshared Key | The same preshared key value as configured on the FortiGate unit. |
- Select Advanced.
- Enter the following and select Return:
Security Level | Custom | Phase 1 Proposal | 3des-sha | Mode (Initiator) | Main (ID Protection) |
|
Configure Juniper SSG routing | You need to configure routing to send and receive traffic for the remote private network through the VPN tunnel. To configure the routes for VPN traffic - Go to Network > Routing > Routing Entries > trust-vr.
- Enter the following and select OK:
Network Address/Netmask | 0.0.0.0/0 | Gateway Interface | The interface that connects to the remote VPN gateway: ethernet3, for example. | Gateway IP Address | The IP address of the remote Gateway Interface, 172.16.110.138, for example. |
- Go to Network > Routing > Routing Entries > trust-vr.
- Enter the following and select OK:
Network Address/Netmask | The address of the remote LAN, 192.168.2.0/24 for example. | Gateway Interface | The tunnel interface: Tunnel.1, for example. | Gateway IP Address | 0.0.0.0 |
|
Configure Juniper SSG firewall policies | To configure firewall addresses - Go to Policy > Policy Elements > Addresses > List > New.
- Enter the following, then select OK:
Address Name | A name for the local LAN, Site1_LAN for example. | IP Address | The IP Address for the local LAN, 10.10.10.254/24 for example. | Zone | Trust |
- Go to Policy > Policy Elements > Addresses > List > New.
- Enter the following, then select OK:
Address Name | A name for the remote LAN, Site2_LAN for example. | IP Address | The IP Address for the remote LAN, 192.168.2.0/24 for example. | Zone | Untrust |
To configure firewall policies - Go to Policy > Policies.
- Enter the following, then select OK:
From | Trust | To | Untrust | Name | A name for the policy, Site1toSite2 for example. | Service | ANY | Action | Permit |
- Go to Policy > Policies.
- Enter the following, then select OK:
From | Untrust | To | Trust | Name | A name for the policy, Site2toSite1 for example. | Service | ANY | Action | Permit |
|
Test the VPN from the FortiGate unit | - Configure the ping function to originate from the Internal interface.
execute ping-options source 10.10.10.6
- Ping the private network behind the Juniper SS unit.
exec ping 192.168.2.99
|
Test the VPN from the Juniper SSG unit | - Ping the private network behind the FortiGate unit.
ping 10.10.10.6 from ethernet0/0
- Type the escape sequence to end.
|
Troubleshooting | There are several tools available to troubleshoot VPNs:VPN monitors- VPN > Monitor on the FortiGate unit.
- VPNs > Monitor Status on the Juniper SSG unit.
Event Logs- Log&Report > Log Access on the FortiGate unit.
- Reports > System Log > Event on the Juniper SSG unit.
Diagnostic commands- FortiGate unit -
diag vpn tunnel list - Juniper SSG -
get sa
|