Screen OS

Hi guys,

I'm doing a POC project about VPN is to create site to site VPN between SSG and Fortinet 200. I have already  setting ssg and fortinet, but i confused why client pc behind ssg cannot ping to client pc behind fortinet or vice versa after tunnel is active.

I also attached screen capture of configuration. if we see at logs the authentication and phase 1, phase 2 is completed.

 i need advice asap...

Note: any guide for this?

Thanks in advanced

Regards,

Andre

Attachment(s)

VPN.zip   333 KB 1 version

Hi andre

seems like the vpn tunnel is  down. do u enable monitoring on phase 2 ? if yes, try to disable it , and the second could you see byte sent from the policy log ? or traffic already hit VPN policy ? if yes we already sent the packet to the tunnel and not get the reply from the peer. try also doing debug flow basic with filter

Thanks

EL 

Hi EL,

yes you're right the SA status is active, but the tunnel is down if wee see in tunnel monitoring.

yes i enabled monitoring on phase 2. why have to disable it?

if i see in the log there are traffics hit policy but i think cannot pass through the ssg to outside, because if see in log policy the traffics from source to destination is close response... there are no byte sent.

actually what is the meaning of SA active but Link is down? when SA is active its suppose to be the tunnel is connected right?

for info: after SA is active, but Link is down see in monitoring tunnel in ssg, i just can ping to the fortinet public interface from client pc behind ssg but cannot to client pc behind fortinet.

actually what do you think about my configuration if you see the logs i sent to you before.. does the tunnel connected right?

do you have a guide to configure site to site VPN between ssg and fortinet? because maybe something wrong or less in my configuration, so i need some documentation to make sure its right.

 I need more input from you...

 Thanks a lot.

Andre

Hi Andrew

if the peer is non juniper device, you should disable monitoring. if not the link status will show down.

Please try to disable monitoring first and see the traffic ( unset vpn <vpn> monitor.)

i after disable monitoring still can not passing data, please check the log policy, does policy log show bytes sent?

if u mind, u can send me the config and also the screenShot of policy log, but try first to disable vpn monitoring

Thanks

EL 

hi Andre

The following some information that i can get from KB, maybe help you to fix the problem

http://kb.juniper.net/index?page=content&id=KB11131&actp=search&searchid=1250768011039

------

The remote gateway is a non Juniper device and not able to understand the proprietary VPN monitoring packets sent by the Juniper device, and the remote gateway is dropping the packets. 
To correct this problem, configure the Source interface and Destination IP in the VPN monitor, so that a host (which can reply for a regular ICMP request) behind the non Juniper device is tracked.
VPN monitor periodically sends ICMP requests to the end host and expects a reply, so make sure the end host has ping enabled and is not down.  Also, ICMP needs to be enabled/permitted by the remote VPN gateway to allow the VPN Monitor packets. 

------

Thanks

EL

Hi EL,

Ok i will try your suggestion on next week... and i will tell you about the updates on next week.

Thanks a lot for your support.

Regards,

Andre

Hi,

From the screenshot you sent for Juniper device, i think you have configured Policy based VPN- ON Juniper

I would like to suggest you following things and request you to follow them in sequence.
========================================================================================
1: Check and confirm all the setting on Fortigate if its policy based or not. Because i can't see that from your fortigate configuration as you just sent screenshot of the logs. Trust me fortigate logs are not so informative from GUI.So the logs screenshot that you pulled out here are only holding 5 % of nformation which you would need. You can either choose the RAW logs from your logs tabs and it will give you some more details about the logs.


2: Juniper device follows Dial on Demand VPN, which means as in when the client behind IPSEC Gateway initiate a interested traffic for the opposite side PSEC Gateway, it initiates the tunnel and do the negotiation. Now in your case i can see that from the logs that your Juniper firewall has done successful Phase II negotiation and then it should work. so the question comes, why its not working.

Now here is a thing about Fortigate:-
======================================

Fortigate also follows Dial on demand VPN, but at the same time  it gives you an option to BRING UP the tunnel from the MONITOR TAB of the IPSEC Connections. if i assume right then may be when you finished all your configuration on both the firewalls, you are going to fortigate and clicking on BRING UP the tunnel, and it would come showing BRING DOWN.

( There is a possibility this way, that VPN comes up, but the traffic will not pass) The reason is VPN is up because the configuration of phases are fine

or

( There is also a possibility that Tunnel will not come up if your configurations are not fine)



3: Now you would like to know how to get all the detailed logs from Fortigate : Bingo

Note: Before you work on these commands make sure you traffic or tunnel initiator should be Juniper then only you will get good details from the logs on

Fortigate as Juniper should be initiator and Fortigate should be recipient.


Log into the fortigate unit from cli and commands are below:-
==============================================================

a: For Policy based VPN
=======================

# diagnose debug enable            ( # This command will give you all the details about actual vpn logs while negotiation)

# diagnose debug application ike2  ( #This command will give you all the details about the phase 2 logs)


b: For Route Based VPN
======================


# diagnose debug flow show console enable  (#This would show ou all the message on the Cli window itself)
# show trace messages on console            (# For Trace Msg)

# diagnose debug flow trace start 2         (# shows Actual logs as to why the traffic is not being allowed)

==============================================================================================================================

Now About Juniper:

On Juniper all the logs are very clear as it displays them on the dashboard and its easy to troubleshoot also. So i would not comment on that part.

Taking about the Tunnel LINK DOWN ?

Yes i think its because of the wrong interface ( it should be your External Interface which would just initiate a ICMP to the Desination gateway and show you

if the link is up or not. I dont see that any reason why fortigate would reject it)


However still if you feel you want to test it: then follow this:


Log into the CLI of Fortigate:

Fire this command:-  IF you want to verify if the juniper device is sending ICMP packets and Fortigate is blocking it.
=====================


$ Diagnose sniffer packets external ' host 202.169.51.69 and proto 1'


In this command " Diagnose sniffer packets" is normal and it would come up the moment you use TAB key ( its autocomplete)

"external " it is the interface on which you would be sniffing the packets. Now  " proto 1 " is the protocol number of ICMP



Fire This command: - IF you want to check and verify if the Juniper is sending some packets on port 500 or not.
====================

$ Diagnose sniffer packets external ' host 202.169.51.69 and port 500'



=====================================================================================================================================


Above suggestion should resolve your problems. if not then please paste the output of

$ diagnose debug enable  " from the fortigate"


all the best!!!

Hi EL,

I already tested according your suggestion, i disabled vpn monitoring and it can run well and client between 2 site can ping each other.

for now i used static IP address on both SSG and Fortinet.

my next question is: for example i want to configure like this:

1. in Fortinet using stataic IP like current condition

2. in SSG using dynamic ip from ISP.

how to configured dynamic IP in SSG, so fortinet can establish VPN connection with SSG?

Thank you

Andre

Hi Andre

Let say SSG140 ( Site A ) and Fortinet (SIte B )

Site A : dynamic ip

Pre-shared : netscreen

P1 Proposal : pre-g2-3des-sha

P2 Proposal : g2-esp-3des-sha

Site B : 2.2.2.2

Pre-shared : netscreen 

P1 Proposal : pre-g2-3des-sha

P2 Proposal : g2-esp-3des-sha

For dynamic ip u can use local id as indentifier. in this case i use email address test@xyz.com and use aggresive mode since this using dynamic IP.

for detail config like below

1. Click VPNs > AutoKey Advanced > Gateway > Click New
   1. Gateway Name: SiteB_VPN_GW
   2. Security Level: Custom
   3. Remote Gateway: Click Static, and enter IP address 2.2.2.2
   4. Preshared Key: netscreen
   5. Local ID: test@xyz.com
   6. Outgoing Interface: untrust (interface for Internet connection )
   7. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Aggressive
      3. Click Return
   8. Click OK
2. Click Autokey IKE > Click New
   1. VPN Name: VPNtoSiteB
   2. Security Level: Custom
   3. Remote Gateway: Click Predefined, and select SiteB_VPN_GW from the pulldown menu
   4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
   5. Click OK
3. for the policy is the same

or u can refer also to this KB for detail

http://kb.juniper.net/KB6332

http://kb.juniper.net/KB4765

http://kb.juniper.net/KB8534

Thanks

EL

Hi EL,

The site to site IPSEC vpn between  SSG & Fortinet is already done... the clients in both side can communicate each other.

For now the peer gateway using static IP address in both SSG & Fortinet.

Thank you for your kindly support...

Regards,

Andre

Hello

I've got to setup a Site to Site VPN with a Fortinet (staic ip) and Juniper SRX220 (Dynamic IP)

Can I use on the SRX

local ID: blablabla

And configure on the Fortinet

remote ID: blablabla

Is this possible to lauch the tunnel?

Hello,

You can refer to this example link :

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28108&actp=search&viewlocale=en_US&searchid=1410453104222

The KB contains example information about how to configure site to site VPN with SRX has dynamic IP.

Hope this will help you.

Thanks

---

@Henk van Tol wrote:

Hello

 

I've got to setup a Site to Site VPN with a Fortinet (staic ip) and Juniper SRX220 (Dynamic IP)

 

Can I use on the SRX

local ID: blablabla

 

And configure on the Fortinet

remote ID: blablabla

 

Is this possible to lauch the tunnel?

---

---

@Henk van Tol wrote:

Hello

 

I've got to setup a Site to Site VPN with a Fortinet (staic ip) and Juniper SRX220 (Dynamic IP)

 

Can I use on the SRX

local ID: blablabla

 

And configure on the Fortinet

remote ID: blablabla

 

Is this possible to lauch the tunnel?

---

Hi

Just for addition, you can also try the VPN troubleshooting guide on KB

http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm

http://kb.juniper.net/KB9520

How do I troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down?

Thanks

EL