Screen OS

 Hi,

I have been trying to create a VPN with my SSG20 and Fortigate 60B, the problem is that i can only reach the untrust zone from both the sides. Below is the configuration i did on my SSG20. Any help would be useful.

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Trust"
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.2.1/24
set interface ethernet0/0 nat
set interface ethernet0/2 ip 192.168.20.20/24
set interface ethernet0/2 route
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface "ethernet0/2" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/2 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface ethernet0/2 manage ident-reset
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option gateway 192.168.1.1
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server ip 192.168.1.33 to 192.168.1.126
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "Trust_SSG20" 192.168.2.0 255.255.255.0
set address "Untrust" "Untrust_F60" 192.168.1.0 255.255.255.0
set ike p1-proposal "ga" preshare group2 esp 3des sha-1 hour 8
set ike gateway "To_F60" address 192.168.20.20 Main outgoing-interface "ethernet0/0" preshare "t93kM2nGNywnJhsdGWC0vuFqCsnLsahNyQ==" sec-level compatible
set ike gateway "To_F60" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E420F0FCA643651
set ike gateway  "To_F60" nat-traversal
unset ike gateway "To_F60" nat-traversal udp-checksum
set ike gateway "To_F60" nat-traversal keepalive-frequency 0
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "SSG20_F60" gateway "To_F60" no-replay tunnel idletime 0 sec-level compatible
set vpn "SSG20_F60" id 1 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vpn-group id 1
set url protocol websense
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set vpn "SSG20_F60" proxy-id local-ip 192.168.2.0/24 remote-ip 192.168.1.0/24 "ANY"
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 from "Trust" to "Untrust"  "Trust_SSG20" "Untrust_F60" "ANY" permit
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust"  "Untrust_F60" "Trust_SSG20" "ANY" permit
set policy id 3
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway 192.168.1.0 preference 20
set route 192.168.1.0/24 interface tunnel.1 preference 20
set route 192.168.1.0/24 interface null preference 20 metric 10
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Hmm, I see some probs in the ike gate way config.

The address defined to point to the IP of your fortigate. Its showing the FWs own IP address now.:

set interface ethernet0/2 ip 192.168.20.20/24

set ike gateway "To_F60" address 192.168.20.20 Main outgoing-interface "ethernet0/0" preshare "t93kM2nGNywnJhsdGWC0vuFqCsnLsahNyQ==" sec-level compatible

The "get event" will also show you error logs for the vpn

Hi,

Thanks for the reply ;-).I corrrected the outgoing interface. Now the juniper is showing the error "Phase 1 - Retransmission limit have been reached". Here i have checked the DH group. Selected the same encryption type, mode initiator is aggressive mode and also there is the same subnet for the proxy ID.  But also thetunnel is not up yet...Please help.

Hi,

A  "Phase1 Retransmission limit has been reached" error indicates the peers are not able to complete phase I of VPN negotiations.

So they are not able to reach other so check the pre-shared is matching at both ends or all your Phase I options at both ends like encryption algorithm or deffie hellman group for a mismatch.Check when you started getting the phase I messages.

Do you loose internet connection at one of the sites, or does the IP address change?

Gavrilo

Hey there

If the initiator is in aggressive, you need to use aggressive mode on FW as well. based on config, you set the vpn up as main mode.

Also check to see if they are able to ping each other.

Thanks a lot for the reply,

Gavrilo,

Here the preshared key is matching, i have checked it many times. I am not allowing the internet at both ends and i am assigning a static IP address. Here i can hit the each others outgoing interface but not the private network. I have done VPN with Juniper at both ends and they are working fine but with fortigate 60B it is not showing a sign of connectivity.

WL,

 First i tried with the main mode and again with the aggressive mode (both ends). Now i have again changed the setting to main mode. Its not working. I can only ping the remotes untrust interface. No more than that.

Here is the diagram of my network,

                                       --------------------192.168.20.1----------------------

                                          ----------------                                                 -------------------

   Untrust 192.168.20.10  |     F60B    |                                                 |SSG20     |    Untrust eth0/2 192.168.20.20   

                                          ----------------                                                 --------------------

                                                     | 192.168.1.1                                                  | 192.168.2.1 (Trust eth0/0)

                                                     |                                                                      |

                                       PC 192.168.1.99                                            PC 192.168.2.10

Here from  F60B i can ping 192.168.20.20 and from SSG20 i can ping 192.168.20.10 but cannot go beyond it. When i trace-route the respective IP they cannot reach and drops the packet.

Looking forward to hear a word soon.

Can you check the "get event" again to see what the error is now?

Or better yet, run the following:

cl db

cl ike all

debug ike detail

--> generate some traffic into the tunnel

--> Press Esc to stop the debugs

get db str (post this output)

That should give us a better idea. Also please post :

get conf | i ike

get conf | i vpn

Thanks.

HI,

Thanks to all. I have a gud news. Now the VPN with fortigate is working. I canged the whole configuration and implemented a policy based VPN and also enabled a proxy ID. Major concerns are parameters so after many attempts finally the tunnel is UP and is working very fine. Thanks to WL, Gavrilo and all who help me in all possible ways.

Hello

I have same question as you

Rejected an IKE packet on ethernet0/2 from 218.90.159.35:500 to 202.99.52.18:500 with cookies 32c6dc879ee932dc and e7e789272e952478 because The peer sent a packet with a message ID before Phase 1 authentication was done.