06-17-2011 04:36 AM
Here i wan to know about creating site to site VPn between JUNIPER SRX and fortigate.
its not getting up,if i use standard proposal
kindly suggest what phase -I&II proposals & other settings should be used for sucessful estabilshment of secure tunnel between these boxes
it would be very useful, if any tutorials is available for for above scenerio
06-17-2011 11:14 AM
You can use any proposals which include algorithms suported on both ends.
For testing, you can try for example 3des-md5 for both ike phase 1 and phase 2.
By standard proposal, do you mean "proposal-set standard" on srx? What was configured
on Fortigate at that time?
When VPN is configured, check if phase 1 have successfully established (on SRX, "show security
ike security-associations"). If yes, check phase 2 ("sh sec ipsec security-associations").
Also use "establish-tunnels immediately" option so the tunnel will be established even if there
is no user traffic.
Here's an app note that desribes vpn configuration and troubleshooting (policy-based vpn case)
Not sure if there is something SRX-Fortinet specific, but troubleshooting steps are always
06-20-2011 02:56 AM
since i am not familier with SRX, & it is in remote site i didnt see any logs on SRX
as per inputs from SRX support team, they configured standard phase 1 & 2 proposals at their ens, accordingly i made following configuration at fortigate firewall, as per logs from phase-1 itself is not coming up
Phase-1 - pre-g2-aes128-sha and pre-g2-3des-sha
Phase-2 - g2-esp-3des-sha and g2-esp-aes128-sha
but i havent try 3des-md5
06-20-2011 08:43 AM
This should be ok with these proposals, other prolems on SRX side that can prevent
phase 1 from establishihng are
- Mismatched preshared key (and check key type: ascii/hex)
- Wrong external-interface
- Lack of host-inboud-traffic system-services ike on external-interface
If ckecking these does not help, you can try to enable traceoptions on the
srx side, as app note (see link above) tells and post log here.
07-08-2012 09:24 PM
Is there more kb and doc links to share on this?