08-29-2012 02:55 AM
Im trying to set up a site-to-site VPN according to the Juniper's and Fortinet's IPSec VPN guides.
Checking the logs and webUI on both sides looks like the tunnel is up.
Juniper shows that the SA status is active, link is "-" (vpn monitoring is off)
Fortinet is shows in the IPsec monitor that traffic is going out, but nothing is comming in.
I'm unable to ping a host behind the Fortigate.
That's the setup:
Site A: Fortigate SubnetA
Site B: Juniper SubnetB
My routing looks like this:
Destination: Subnet B
Device: VPN_Phase 1
Destination: Subnet A
Policies are configured on both sides in both directions.
Any ideas or tips where to start from?
Thanks in advance....
Solved! Go to Solution.
08-29-2012 03:14 AM
You mention all the right components. So your best bet is to capture a failed flow and see where in the process there is a misconfiguration. We do this with debug flow basic.
Follow these steps.
Initiate failed ping traffic from the SSG LAN to a device on the Fortinet LAN.
Use debug flow to capture the attempt and then review the results. If you have trouble interpreting the flow post the results here.
DEBUG FLOW BASIC :
Prepare the tool
1. undebug all - we are assuring that the debug utility is not already running.
2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter.
Setup the capture
3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B)
set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A)
by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.
Capture the traffic
5. clear db - this will clear the debugging cache.
6. debug flow basic - this turns the debugging utility on.
7. initiate the traffic you are interested in capturing.
Pull the data
8. undebug all - turns the utility back off.
9. get db stream - this is the actual packet capture output that we want.
Remove the setup
10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier.
11.clear db - this will clear the cache.
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
08-29-2012 06:25 AM
Thanks for your help. I found the solution. Since I have no client on the remote site, I tried to ping the gateway (inside). But with nothing attached to it, the interface was down, so it didn't work.