Technical Note : FortiGate to Juniper SSG VPN

‎04-01-2008

Article

Introduction

This article describes how to configure an IPSec VPN on a FortiGate unit to work with a Juniper Networks Secure Services Gateway (SSG). The example shown here is route-based, but a policy-based VPN is also possible.

Components

FortiGate unit running FortiOS v3.0 firmware, MR5 or later
Juniper Networks SSG with firmware version 6.0.0r3.0

Prerequisites

The FortiGate unit and the Juniper SSG unit must be in NAT mode.

Configure FortiGate VPN Phase 1

To configure using the Web-based Manager

Go to VPN > IPSec > Auto-Key and select Phase 1.

Enter the following:

Name	VPN name: toSSG, for example
Remote Gateway	Static IP Address
IP Address	the public IP address of the Juniper appliance, 172.30.69.108, for example
Local Interface	the interface that connects to the remote VPN: WAN1
Mode	Main (default)
Authentication Method	Preshared Key
Pre-shared Key	same preshared key configured on the Juniper appliance

Select Advanced and enter the following:

Enable IPSec Interface Mode Enable

P1 Proposal 1 - Encryption 3DES, Authentication SHA1 (default)
Delete proposal 2

DH Group 2

Keylife 28800

Nat-traversal Enable

Dead Peer Detection Enable
Select OK.

To configure using the CLI:

Using the example configuration, enter the following commands:

config vpn ipsec phase1-interface
  edit "toSSG"
    set interface wan1
    set dpd enable
    set dhgrp 2
    set proposal 3des-sha1
    set keylife 28800
    set nattraversal enable
    set remote-gw 172.30.69.108
    set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  end

Configure FortiGate VPN Phase 2

To configure using the Web-based Manager

Go to VPN > IPSec > Auto-Key and select Phase 2.
Enter the following:

Name A name for the VPN Phase 2 configuration: Tunnel-FG-SSG, for example

Phase 1 Phase 1 configuration name: toSSG

Select Advanced and enter the following:

P2 Proposal	1 - Encryption 3DES, Authentication SHA1 Delete proposal 2
Enable replay detection	Enable
Enable perfect forward secrecy	Enable
DH Group	2
Keylife	1800 seconds
Autokey Keep Alive	Disable

Select OK.

To configure using the CLI

Using the example configuration, enter the following commands:

config vpn ipsec phase2-interface
  edit Tunnel-FG-SSG
    set dhgrp 2
    set keepalive disable
    set phase1name toSSG
    set proposal 3des-sha1
    set pfs enable
    set replay enable
    set keylife-type seconds
    set keylifeseconds 1800
  end

Configure FortiGate Firewall Addresses

Create firewall addresses for the private networks at either end of the VPN.

To configure using the Web-based Manager

Go to Firewall > Address and select Create New.

Enter the following:

Address Name	A name for the address. For example: "LocalLAN" for the network behind the FortiGate unit "Site2_net" for the network behind the Juniper appliance
Type	Subnet/IP Range
Subnet/IP Range	The network address and subnet mask. For example, Enter "10.10.10.0 255.255.255.0" for LocalLAN Enter "192.168.2.0 255.255.255.0" for Site2_net

Select OK.

To configure using the CLI

Using the example configuration, enter the following commands:

config firewall address
  edit "LocalLAN"
    set subnet 10.10.10.0 255.255.255.0
  next
  edit "Site2_net"
    set subnet 192.168.2.0 255.255.255.0
  end

Configure FortiGate Outgoing Firewall Policy

The outgoing policy allows hosts on the network behind the FortiGate unit to communicate with hosts behind the Juniper appliance.

To configure using the Web-based Manager

Go to Firewall > Policy and select Create New.

Enter the following and select OK:

Source Interface/Zone	The interface connected to the local network: internal
Source Address	The firewall address of the local network: LocalLAN
Destination Interface/Zone	The interface that connects to the remote network: toSSG
Destination Address	The firewall address of the remote network: Site2_net
Schedule	always
Service	ANY
Action	ACCEPT

To configure using the CLI

Using the example configuration, enter the following commands:

config firewall policy
  edit 1
    set srcintf internal
    set srcaddr LocalLAN
    set dstintf toSSG
    set dstaddr Site2_net
    set action accept
    set schedule always
    set service ANY
  end
To prevent unencrypted data from leaving the FortiGate, refer to KB article:-

FortiOS Protecting data for muliple subnets when IPSec Tunnel Fails

Configure FortiGate Incoming Firewall Policy

The incoming policy allows hosts on the network behind the Juniper appliance to communicate with hosts behind the FortiGate unit.

To configure using the Web-based Manager

Go to Firewall > Policy and select Create New.

Enter the following and select OK:

Source Interface/Zone	The interface that connects to the remote network: toSSG
Source Address	The firewall address of the remote network: Site2_net
Destination Interface/Zone	The interface connected to the local network: internal
Destination Address	The firewall address of the local network: LocalLAN
Schedule	always
Service	ANY
Action	ACCEPT

To configure using the CLI

Using the example configuration, enter the following commands:

config firewall policy
  edit 2
    set srcintf toSSG
    set srcaddr Site2_net
    set dstintf internal
    set dstaddr LocalLAN
    set action accept
    set schedule always
    set service ANY
  end

Configure Juniper SSG interfaces

This Juniper SSG appliance is configured using its WebUI. Refer to Juniper documentation for detailed information.

To configure Juniper SSG interfaces

Go to Network > Interfaces.
Select Edit for the interface that connects to the LAN.
Enter the following:

Zone Name Trust

Static IP Select

IP Address/Netmask Enter the address of the interface that connects to the LAN: 192.168.2.99, for example.
Select Apply.
Select Internet Mode NAT and then select OK.
Go to Network > Interfaces.
Select Edit for the interface that connects to the remote VPN gateway.
Enter the following:

Zone Name Untrust

Static IP Select

IP Address/Netmask Enter the address of the remote VPN gateway: 202.85.110.138, for example.
Select Apply.
Select Internet Mode NAT and then select OK.

To configure Juniper SSG tunnel interface

Go to Network > Interfaces.
Select Tunnel IF and then select New.

Enter the following and select Apply:

Tunnel Interface Name	Enter a name: tunnel.1, for example.
Zone (VR)	Select Untrust (trust-vr).
Unnumbered	Select
Interface	Select the interface that connects to the remote VPN gateway: ethernet3, for example.

Configure Juniper SSG VPN settings

To configure Juniper SSG VPN

Go to VPNs > AutoKey Advanced > Gateway and select New.

Enter the following and select OK:

Gateway Name	Enter a name: toFortiGate, for example.
Security Level	Custom
Remote Gateway Type	Static IP Address
Static IP Address	The FortiGate unit VPN gateway address, 172.16.110.138
Preshared Key	The same preshared key value as configured on the FortiGate unit.

Select Advanced.
Enter the following and select Return:

Security Level Custom

Phase 1 Proposal 3des-sha

Mode (Initiator) Main (ID Protection)

Configure Juniper SSG routing

You need to configure routing to send and receive traffic for the remote private network through the VPN tunnel.

To configure the routes for VPN traffic

Go to Network > Routing > Routing Entries > trust-vr.

Enter the following and select OK:

Network Address/Netmask	0.0.0.0/0
Gateway Interface	The interface that connects to the remote VPN gateway: ethernet3, for example.
Gateway IP Address	The IP address of the remote Gateway Interface, 172.16.110.138, for example.

Go to Network > Routing > Routing Entries > trust-vr.
Enter the following and select OK:

Network Address/Netmask The address of the remote LAN, 192.168.2.0/24 for example.

Gateway Interface The tunnel interface: Tunnel.1, for example.

Gateway IP Address 0.0.0.0

Configure Juniper SSG firewall policies

To configure firewall addresses

Go to Policy > Policy Elements > Addresses > List > New.
Enter the following, then select OK:

Address Name A name for the local LAN, Site1_LAN for example.

IP Address The IP Address for the local LAN, 10.10.10.254/24 for example.

Zone Trust
Go to Policy > Policy Elements > Addresses > List > New.
Enter the following, then select OK:

Address Name A name for the remote LAN, Site2_LAN for example.

IP Address The IP Address for the remote LAN, 192.168.2.0/24 for example.

Zone Untrust

To configure firewall policies

Go to Policy > Policies.
Enter the following, then select OK:

From Trust

To Untrust

Name A name for the policy, Site1toSite2 for example.

Service ANY

Action Permit
Go to Policy > Policies.
Enter the following, then select OK:

From Untrust

To Trust

Name A name for the policy, Site2toSite1 for example.

Service ANY

Action Permit

Test the VPN from the FortiGate unit

Configure the ping function to originate from the Internal interface.
```
execute ping-options source 10.10.10.6
```
Ping the private network behind the Juniper SS unit.
```
exec ping 192.168.2.99
```

Test the VPN from the Juniper SSG unit

Ping the private network behind the FortiGate unit.
```
ping 10.10.10.6 from ethernet0/0
```
Type the escape sequence to end.

Troubleshooting

There are several tools available to troubleshoot VPNs:

VPN monitors

VPN > Monitor on the FortiGate unit.
VPNs > Monitor Status on the Juniper SSG unit.

Event Logs

Log&Report > Log Access on the FortiGate unit.
Reports > System Log > Event on the Juniper SSG unit.

Diagnostic commands

FortiGate unit - diag vpn tunnel list
Juniper SSG - get sa

Related Articles

List of articles about Fortigate IPSec VPN interoperability