ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Mayo
Posts: 5
Registered: ‎11-25-2008
0
Accepted Solution

Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)

Hi there

 

Im trying to set up a site-to-site VPN according to the Juniper's and Fortinet's IPSec VPN guides.

 

Checking the logs and webUI on both sides looks like the tunnel is up.

 

Juniper shows that the SA status is active, link is "-" (vpn monitoring is off)

Fortinet is shows in the IPsec monitor that traffic is going out, but nothing is comming in.

 

I'm unable to ping a host behind the Fortigate.

 

That's the setup:

Site A: Fortigate  SubnetA

Site B: Juniper    SubnetB

 

My routing looks like this:

Site A:

Destination: Subnet B

Device: VPN_Phase 1

Gateway: EMPTY

Site B:

Destination: Subnet A

Interface: tunnel.1

Gateway: EMPTY

 

Policies are configured on both sides in both directions.

 

Any ideas or tips where to start from?

Thanks in advance....

 

Distinguished Expert
spuluka
Posts: 2,659
Registered: ‎03-30-2009
0

Re: Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)

You mention all the right components.  So your best bet is to capture a failed flow and see where in the process there is a misconfiguration.  We do this with debug flow basic. 

 

Follow these steps. 

Initiate failed ping traffic from the SSG LAN to a device on the Fortinet LAN. 

Use debug flow to capture the attempt and then review the results.  If you have trouble interpreting the flow post the results here.

 

DEBUG FLOW BASIC :
==================

Prepare the tool
1. undebug all - we are assuring that the debug utility is not already running.
2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter.

Setup the capture
3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B)
  set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A)

by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.

Capture the traffic
5. clear db - this will clear the debugging cache.
6. debug flow basic - this turns the debugging utility on.
7. initiate the traffic you are interested in capturing.

Pull the data
8. undebug all - turns the utility back off.  
9. get db stream - this is the actual packet capture output that we want.

Remove the setup
10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier.
11.clear db - this will clear the cache.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Mayo
Posts: 5
Registered: ‎11-25-2008
0

Re: Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)

Thanks for your help. I found the solution. Since I have no client on the remote site, I tried to ping the gateway (inside). But with nothing attached to it, the interface was down, so it didn't work.

 

Greetings

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.