Hi,
I try to set up the site to site VPN (Policy-based VPN) between SRX550 and our branch Fortigate firewall.
I have done the connection based on the below link:
http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-policy-based-vpn-configuring.html#jd0e1615
Now the issue is : internal user behind SRX550 can not access the resource in branch office behind Fortigate firewall, but the end user behind the Fortigate firewall can access the resource behind SRX550 firewall.
Both firewall have created the security policy to access the opposite site internal resource.
Refer to below some information that i taked from my SRX550.
root@FW# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
216402 UP 25538ef1ff0e1247 d4de05e93fa56d98 Main Hidden here
root@FW# run show security ike security-associations index 216402 detail
IKE peer xx.xx.xx.xx, Index 216402, Gateway Name: Wuxi-Office-Gateway
Role: Responder, State: UP
Initiator cookie: 25538ef1ff0e1247, Responder cookie: d4de05e93fa56d98
Exchange type: Main, Authentication method: Pre-shared-keys
Local: XXX.XXX.XXX.XXX:500, Remote: 5XX.XXX.XX.XX:500
Lifetime: Expires in 76315 seconds
Peer ike-id: XXX.XXX.XX.XXX
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 187380
Output bytes : 171744
Input packets: 2032
Output packets: 2040
Flags: IKE SA is created
IPSec security associations: 4 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: XXX.XXX.XX.XXX:500, Remote: XXX.XXX.XX.XXX:500
Local identity: XXX.XXX.XX.XXX
Remote identity: XXX.XXX.XX.XXX
Flags: IKE SA is created
root@FW# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<2 ESP:3des/sha1 9ff32e2 2189/ unlim - root 500 xx.xx.xx.xx
>2 ESP:3des/sha1 ba7501ed 2189/ unlim - root 500 xx.xx.xx.xx
root@FW# run show security ipsec security-associations index 2 detail
ID: 2 Virtual-system: root, VPN Name: Wuxi-Office
Local Gateway: xx.xx.xx.xx, Remote Gateway: xx.xx.xx.xx
Local Identity: ipv4_subnet(any:0,[0..7]=192.168.11.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.7.0/24)
Version: IKEv1
DF-bit: clear
Policy-name: Wuxi-office-Outbound
Port: 500, Nego#: 8, Fail#: 0, Def-Del#: 0 Flag: 600821
Tunnel Down Reason: Lifetime expired
Direction: inbound, SPI: 9ff32e2, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2060 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1422 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: disabled
Direction: outbound, SPI: ba7501ed, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2060 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1422 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: disabled
Thanks.