Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)

    Posted 08-29-2012 02:56

    Hi there

     

    Im trying to set up a site-to-site VPN according to the Juniper's and Fortinet's IPSec VPN guides.

     

    Checking the logs and webUI on both sides looks like the tunnel is up.

     

    Juniper shows that the SA status is active, link is "-" (vpn monitoring is off)

    Fortinet is shows in the IPsec monitor that traffic is going out, but nothing is comming in.

     

    I'm unable to ping a host behind the Fortigate.

     

    That's the setup:

    Site A: Fortigate  SubnetA

    Site B: Juniper    SubnetB

     

    My routing looks like this:

    Site A:

    Destination: Subnet B

    Device: VPN_Phase 1

    Gateway: EMPTY

    Site B:

    Destination: Subnet A

    Interface: tunnel.1

    Gateway: EMPTY

     

    Policies are configured on both sides in both directions.

     

    Any ideas or tips where to start from?

    Thanks in advance....

     



  • 2.  RE: Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)

    Posted 08-29-2012 03:15

    You mention all the right components.  So your best bet is to capture a failed flow and see where in the process there is a misconfiguration.  We do this with debug flow basic. 

     

    Follow these steps. 

    Initiate failed ping traffic from the SSG LAN to a device on the Fortinet LAN. 

    Use debug flow to capture the attempt and then review the results.  If you have trouble interpreting the flow post the results here.

     

    DEBUG FLOW BASIC :
    ==================

    Prepare the tool
    1. undebug all - we are assuring that the debug utility is not already running.
    2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter.

    Setup the capture
    3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B)
      set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A)

    by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.

    Capture the traffic
    5. clear db - this will clear the debugging cache.
    6. debug flow basic - this turns the debugging utility on.
    7. initiate the traffic you are interested in capturing.

    Pull the data
    8. undebug all - turns the utility back off.  
    9. get db stream - this is the actual packet capture output that we want.

    Remove the setup
    10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier.
    11.clear db - this will clear the cache.



  • 3.  RE: Site-to-Site VPN Between FortiGate80C and Juniper SSG5 (Route based)
    Best Answer

    Posted 08-29-2012 06:26

    Thanks for your help. I found the solution. Since I have no client on the remote site, I tried to ping the gateway (inside). But with nothing attached to it, the interface was down, so it didn't work.

     

    Greetings