ScreenOS Firewalls (NOT SRX)
Posts: 5
Registered: ‎11-25-2008
Accepted Solution

Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)

Hi there


Im trying to set up a site-to-site VPN according to the Juniper's and Fortinet's IPSec VPN guides.


Checking the logs and webUI on both sides looks like the tunnel is up.


Juniper shows that the SA status is active, link is "-" (vpn monitoring is off)

Fortinet is shows in the IPsec monitor that traffic is going out, but nothing is comming in.


I'm unable to ping a host behind the Fortigate.


That's the setup:

Site A: Fortigate  SubnetA

Site B: Juniper    SubnetB


My routing looks like this:

Site A:

Destination: Subnet B

Device: VPN_Phase 1

Gateway: EMPTY

Site B:

Destination: Subnet A

Interface: tunnel.1

Gateway: EMPTY


Policies are configured on both sides in both directions.


Any ideas or tips where to start from?

Thanks in advance....


Distinguished Expert
Posts: 3,485
Registered: ‎03-30-2009

Re: Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)

You mention all the right components.  So your best bet is to capture a failed flow and see where in the process there is a misconfiguration.  We do this with debug flow basic. 


Follow these steps. 

Initiate failed ping traffic from the SSG LAN to a device on the Fortinet LAN. 

Use debug flow to capture the attempt and then review the results.  If you have trouble interpreting the flow post the results here.



Prepare the tool
1. undebug all - we are assuring that the debug utility is not already running.
2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter.

Setup the capture
3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B)
  set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A)

by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.

Capture the traffic
5. clear db - this will clear the debugging cache.
6. debug flow basic - this turns the debugging utility on.
7. initiate the traffic you are interested in capturing.

Pull the data
8. undebug all - turns the utility back off.  
9. get db stream - this is the actual packet capture output that we want.

Remove the setup
10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier.
11.clear db - this will clear the cache.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
Posts: 5
Registered: ‎11-25-2008

Re: Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)

Thanks for your help. I found the solution. Since I have no client on the remote site, I tried to ping the gateway (inside). But with nothing attached to it, the interface was down, so it didn't work.



Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.