Junos
Reply
Visitor
kishorelal2k8@hotmail.com
Posts: 3
Registered: ‎03-10-2011
0

creating site to site VPN between SRX 240 and fortigate 50b

HI

 

Here i wan to know about creating site to site VPn between JUNIPER SRX and fortigate.

 

its not getting up,if i use standard proposal

 

kindly suggest what phase -I&II proposals & other settings should be used for sucessful estabilshment of secure tunnel between these boxes

 

it would be very useful, if any tutorials is available for for above scenerio

 

regards

kishore

Distinguished Expert
Distinguished Expert
pk
Posts: 816
Registered: ‎10-09-2008
0

Re: creating site to site VPN between SRX 240 and fortigate 50b

Hi

 

You can use any proposals which include algorithms suported on both ends.

For testing, you can try for example 3des-md5 for both ike phase 1 and phase 2.

By standard proposal, do you mean "proposal-set standard" on srx? What was configured

on Fortigate at that time?

 

When VPN is configured, check if phase 1 have successfully established (on SRX, "show security

ike security-associations"). If yes, check phase 2 ("sh sec ipsec security-associations").

Also use "establish-tunnels immediately" option so the tunnel will be established even if there

is no user traffic.

 

Here's an app note that desribes vpn configuration and troubleshooting (policy-based vpn case)

http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf

Not sure if there is something SRX-Fortinet specific, but troubleshooting steps are always

the same.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Visitor
kishorelal2k8@hotmail.com
Posts: 3
Registered: ‎03-10-2011
0

Re: creating site to site VPN between SRX 240 and fortigate 50b

HI

 

since i am not familier with SRX, & it is in remote site  i didnt  see any logs on SRX

 

as per inputs from SRX support team, they configured standard phase 1 & 2 proposals at their ens, accordingly i made following configuration at fortigate firewall, as per logs from phase-1 itself is not coming up

 

Phase-1 - pre-g2-aes128-sha and pre-g2-3des-sha

 

Phase-2  - g2-esp-3des-sha and g2-esp-aes128-sha

 

but i havent try 3des-md5

 

regards

kishore





 

Distinguished Expert
Distinguished Expert
pk
Posts: 816
Registered: ‎10-09-2008
0

Re: creating site to site VPN between SRX 240 and fortigate 50b

Hi

This should be ok with these proposals, other prolems on SRX side that can prevent
phase 1 from establishihng are
- Mismatched preshared key (and check key type: ascii/hex)
- Wrong external-interface
- Lack of host-inboud-traffic system-services ike on external-interface

If ckecking these does not help, you can try to enable traceoptions on the
srx side, as app note (see link above) tells and post log here.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: creating site to site VPN between SRX 240 and fortigate 50b

Is there more kb and doc links to share on this?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.