In this Example, I have designed and configured a Route-based IPSec VPN between Juniper SRX and Fortinet device. The VPN is configured in SRX of Junos 11.4 Version and Fortinet of OS 4.0 version. Both the sides of location facing internet have static IP address. The table shows Phase-I and Phase-II VPN parameters. It must be same on both side of VPN configured devices and some other parameters are locally significant.
Route Based IPSec VPN between Juniper SRX and Fortigate
IPSec (Phase-I and Phase-II) VPN parameters
The following VPN parameters are significant to establish Route based Ipsec VPN between Juniper SRX device and Fortinet Device.
|
VPN Parameters
|
Juniper SRX |
Fortinet |
| Phase-I (IKE) |
Authentication Method |
Preshared key |
Preshared key |
| Authentication- Algorithm |
Sha1 |
Sha1 |
| Encryption- Algorithm |
3Des-cbc |
3Des-cbc |
| dh-group |
5 |
5 |
| Lifetime (sec) |
28800 |
28800 |
| Mode |
Main |
Main |
| Remote gateway Address |
10.10.20.2 |
10.10.10.2 |
| Nat-keepalive |
10 |
10 |
| Phase-II (IPSEC) |
Protocol |
Esp |
Esp |
| Authentication- Algorithm |
sha1-96 |
sha1-96 |
| Encryption- Algorithm |
3Des-cbc |
3Des-cbc |
| PFS keys Groups |
5 |
5 |
| Lifetime (sec) |
86400 |
86400 |
| Proxy-identity |
local |
192.168.100.0/24 |
192.168.200.0/24 |
| remote |
192.168.200.0/24 |
192.168.100.0/24 |
| Service |
Any |
Any |
| Locally Significant |
Outgoing interface |
ge-0/0/0 |
Wan1 |
| Tunnel interface |
st0.1 |
|
Now I am going to configure the VPN in Juniper SRX and Fortigate Device as following side by side.
Configuring VPN in SRX side
Configure the WAN side interface and assigning the IP address
|
user@SRX#set interfaces ge-0/0/0 unit 0 description ” WAN INTERFACE “
user@SRX#set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.2/30
|
Configure the LAN side interfaces and assigning the IP address
|
user@SRX#set interfaces ge-0/0/1 unit 0 description ” LAN INTERFACE “
user@SRX#set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.1/24
|
Configure the VPN tunnel interfaces
|
user@SRX#set interfaces st0 unit 1 description ” VPN SECURE TUNNEL “
user@SRX#set interfaces st0 unit 1 family inet
|
Configure default route and route for tunnel traffic
For route of tunnel traffic, next-hop would be normally the gateway ip address of peer device but here st0.1 has been specified as there is not defined the IP address in tunnel interface of peer Device.
|
user@SRX#set routing-options static route 0.0.0.0/0 next-hop 10.10.10.1
user@SRX#set routing-options static route 192.168.200.0/24 next-hop st0.1
|
Configure security zones and assign interfaces to the zone and adding host-inbound system services in these zones
To separate the security policies for non-VPN and VPN traffic, the secure tunnel is assigned in different zone named VPN than the WAN and LAN zone.IKEmust be defined as host-inbound system services in internet facing zone (WAN) to establish theIKEnegotiations between VPN peer devices.
|
user@SRX#set security zones security-zone WAN host-inbound-traffic system-services ike
user@SRX#set security zones security-zone WAN interfaces ge-0/0/0.0
user@SRX#set security zones security-zone LAN host-inbound-traffic system-services all
user@SRX#set security zones security-zone LAN interfaces ge-0/0/1.0
user@SRX#set security zones security-zone VPN interfaces st0.1
|
Configure Phase-I IKE proposal and Policy for main mode as listed above in Table
Here I have defined the VPN parameters manually instead of using the default for Phase-I.
|
user@SRX#set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
user@SRX#set security ike proposal IKE-PROPOSAL dh-group group5
user@SRX#set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
user@SRX#set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
user@SRX#set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
user@SRX#set security ike policy IKE-POLICY mode main
user@SRX#set security ike policy IKE-POLICY proposals IKE-PROPOSAL
user@SRX#set security ike policy IKE-POLICY pre-shared-key ascii-text <preshared-key>
|
Configure the VPN gateway (Phase-I) with policy, peer address and outgoing interface
To identify the remoteIKEpeer, I have used IP address of peer device and outgoing interface ge-0/0/0 of SRX device.
|
user@SRX#set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY
user@SRX#set security ike gateway VPN-GATEWAY address 10.10.20.2
user@SRX#set security ike gateway VPN-GATEWAY dead-peer-detection interval 10
user@SRX#set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1
user@SRX#set security ike gateway VPN-GATEWAY nat-keepalive 10
user@SRX#set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0
|
Configure Phase-II Proposal and Policy as listed in above Table
Here I have defined the VPN parameters manually instead of using the default for Phase-II.
|
user@SRX#set security ipsec proposal IPSEC-PROPOSAL protocol esp
user@SRX#set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
user@SRX#set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
user@SRX#set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400
user@SRX#set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5
user@SRX#set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
|
Configure IPSEC VPN (Phase-II) with IKE gateway, IPSEC policy and Binding the Secure Tunnel st0.1 interface
|
user@SRX#set security ipsec vpn IPSEC-VPN bind-interface st0.1
user@SRX#set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY
user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity local 192.168.100.0/24
user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity remote 192.168.200.0/24
user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity service any
user@SRX#set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
user@SRX#set security ipsec vpn IPSEC-VPN establish-tunnels immediately
|
Configure the security policy for internet Traffic from LAN to WAN zone
|
user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match source-address any
user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match destination-address any
user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match application any
user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN then permit
|
Configure the security NAT for internet Traffic from LAN to WAN zone
It is important to configure NAT for passing internet traffic from LAN to WAN zone. LAN zone IP address will be translated to the egress interface IP of SRX as source IP when it goes to internet.
|
user@SRX#set security nat source rule-set LAN-TO_WAN from zone LAN
user@SRX#set security nat source rule-set LAN-TO_WAN to zone WAN
user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match source-address 0.0.0.0/0
user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match destination-address 0.0.0.0/0
user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT then source-nat interface
|
Configure bi-directional security policy for tunnel traffic from and to LAN to VPN zone
Here bi-directional policies are configured to pass the VPN traffic from and to LAN to VPN zone.
|
user@SRX#set security policies from-zone LAN to-zone VPN policy LAN_VPN match source-address any
user@SRX#set security policies from-zone LAN to-zone VPN policy LAN_VPN match destination-address any
user@SRX#set security policies from-zone LAN to-zone VPN policy LAN_VPN match application any
user@SRX#set security policies from-zone LAN to-zone VPN policy LAN_VPN then permit
user@SRX#set security policies from-zone VPN to-zone LAN policy VPN_LAN match source-address any
user@SRX#set security policies from-zone VPN to-zone LAN policy VPN_LAN match destination-address any
user@SRX#set security policies from-zone VPN to-zone LAN policy VPN_LAN match application any
user@SRX#set security policies from-zone VPN to-zone LAN policy VPN_LAN then permit
|
Configure tcp-mss to eliminate fragmentation of TCP traffic across tunnel
The tcp-mss for IPSec traffic is defined to eliminate the possibility of fragmented TCP traffic. It limits the maximum size of a TCP Segment
user@SRX#set security flow tcp-mss ipsec-vpn mss 1350
Following command verifies the vpn tunnel and status.
-
user@SRX>show security ike security-associations
-
user@ SRX >show security ipsec security-associations
Configure VPN in Fortigate Side
Configuring the Fortinet device with CLI is not as easier as Juniper SRX though I’ll try to show the command to configure the IPSEC VPN in it.After Logging to the device type the following command in corresponding hierarchy of CLI. The configuration with web is also added along with the CLI procedure.
Configure the interface WAN interface and assign IP address.
Here wan1 interface is assigned WAN/internet facing side IP address with the access https, ssh telnet and ping to the interface.
CLI Procedure:
|
FORTIGATE # config system interface
FORTIGATE (interface) # edit wan1
FORTIGATE (wan1) # set ip 10.10.20.2 255.255.255.252
FORTIGATE (wan1) # set alias “WAN_INTERFACE”
FORTIGATE (wan1) # set allowaccess ping https ssh telnet
FORTIGATE (wan1) # end
|
WEB Procedure: follow the process as shown after logging the device
Go to system>Network>interface>wan1 then configure as; Type the description of interface, enter IP address with netmask and check the access services as desired.
Configure the interface INTERNAL interface and assign IP address with access services ping, http/s ssh and telnet.
CLI Procedure:
|
FORTIGATE # config system interface
FORTIGATE (interface) # edit internal
FORTIGATE (internal) # set ip 192.168.200.1 255.255.255.0
FORTIGATE (internal) # set alias “LAN_INTERFACE”
FORTIGATE (internal) # set allowaccess ping https http ssh telnet
FORTIGATE (internal) # end
|
WEB Procedure: follow the process as shown
Go to system>Network>interface>internal then configure as; Type the description of interface, enter IP address with netmask and check the access services as desired.
Configure the Phase-I VPN parameters as listed in above table
CLI Procedure:
|
FORTIGATE # config vpn ipsec phase1-interface
FORTIGATE (phase1-interface) # edit VPN-GW
FORTIGATE (VPN-GW) # set mode main
FORTIGATE (VPN-GW) # set interface “wan1”
FORTIGATE (VPN-GW) # set proposal 3des-sha1
FORTIGATE (VPN-GW) # set dhgrp 5
FORTIGATE (VPN-GW) # set dpd enable
FORTIGATE (VPN-GW) # set keylife seconds 28800
FORTIGATE (VPN-GW) # set keepalive 10
FORTIGATE (VPN-GW) # set nattraversal enable
FORTIGATE (VPN-GW) # set remote-gw 10.10.10.2
FORTIGATE (VPN-GW) # set psksecret <preshared-key>
FORTIGATE (VPN-GW) # end
|
WEB Procedure: follow the process as shown
Go to vpn>ipsec>auto key (ike) then configure as; Type the VPN Gateway Name and configure as VPN parameters listed in table. Note that the parameters should be same on both side of VPN devices.
Configure the Phase-II VPN parameters as listed in above table
CLI Procedure:
|
FORTIGATE # config vpn ipsec phase2-interface
FORTIGATE (phase2-interface) # edit VPN-TUNNEL
FORTIGATE (VPN-TUNNEL ) # set phase1name “VPN-GW”
FORTIGATE (VPN-TUNNEL ) # set proposal 3des-sha1
FORTIGATE (VPN-TUNNEL ) # set reply enable
FORTIGATE (VPN-TUNNEL ) # set pfs enable
FORTIGATE (VPN-TUNNEL ) # set dhgrp 5
FORTIGATE (VPN-TUNNEL ) # set keylifeseconds 86400
FORTIGATE (VPN-TUNNEL ) # set keepalive enable
FORTIGATE (VPN-TUNNEL ) # set src-subnet 192.168.200.0 255.255.255.0
FORTIGATE (VPN-TUNNEL ) # set dst-subnet 192.168.100.0 255.255.255.0
FORTIGATE (VPN-TUNNEL ) # end
|
WEB Procedure: follow the process as shown
Go to vpn>ipsec>auto key (ike) then configure as; Type the VPN tunnel Name and configure as VPN parameters listed in table. Note that the parameters should be same on both side of VPN devices.
Configure the Firewall Policies to and from internal zone to WAN1 zone
Here, the policy id “1” is configured which is locally significant . The policy has been permitted for all to all source and destination address with any service type in both policies from and to internal to WAN zone.
CLI Procedure:
|
FORTIGATE # config firewall policy
FORTIGATE (policy) # edit 1
FORTIGATE (1) # set srcintf VPN-GW
FORTIGATE (1) # set dstintf internal
FORTIGATE (1) # set srcaddr “all”
FORTIGATE (1) # set dstaddr “all”
FORTIGATE (1) # set action accept
FORTIGATE (1) # set schedule “always”
FORTIGATE (1) # set service “ANY”
FORTIGATE (1) # end
|
WEB Procedure: follow the process as shown
Go to firewall>policy then configure as :
CLI Procedure for internal to WAN policy:
|
FORTIGATE # config firewall policy
FORTIGATE (policy) # edit 1
FORTIGATE (1) # set srcintf internal
FORTIGATE (1) # set dstintf VPN-GW
FORTIGATE (1) # set srcaddr “all”
FORTIGATE (1) # set dstaddr “all”
FORTIGATE (1) # set action accept
FORTIGATE (1) # set schedule “always”
FORTIGATE (1) # set service “ANY”
FORTIGATE (1) # end
|
WEB Procedure: follow the process as shown
Go to firewall>policy then configure as :
Configuring the default Route with next-hop VPN-GW
The default static route is configured with device VPN-GW . The route ID “1” is significant locally and it must be unique for route configuration.
CLI Procedure:
|
FORTIGATE # config router static
FORTIGATE (static) # edit 1
FORTIGATE (1) # set device “VPN-GW”
FORTIGATE (1) # end
|
WEB Procedure: follow the process as shown
Go to system>router>static then configure as;
Some useful command for Fotigate CLI
Get system status : shows the version of software installed in the box
show vpn ipsec phase1-interface : to view the phase-I Config
show vpn ipsec phase2-interface : to view the pahse-II Config
show router static : to view the static route
show system interface : to view the interfaces
get ipsec tunnel list : to view the status of VPN tunnel either up or down
execute ping <IP_address>: to ping
Configure the interface INTERNAL interface and assign IP address with access services ping, http/s ssh and telnet.
CLI Procedure:
Configure the Phase-I VPN parameters as listed in above table
CLI Procedure:
Configure the Phase-II VPN parameters as listed in above table
CLI Procedure:
Configure the Firewall Policies to and from internal zone to WAN1 zone
Here, the policy id “1” is configured which is locally significant . The policy has been permitted for all to all source and destination address with any service type in both policies from and to internal to WAN zone.
CLI Procedure:
CLI Procedure for internal to WAN policy:
Configuring the default Route with next-hop VPN-GW
The default static route is configured with device VPN-GW . The route ID “1” is significant locally and it must be unique for route configuration.
CLI Procedure:
Some useful command for Fotigate CLI
Get system status : shows the version of software installed in the box
show vpn ipsec phase1-interface : to view the phase-I Config
show vpn ipsec phase2-interface : to view the pahse-II Config
show router static : to view the static route
show system interface : to view the interfaces
get ipsec tunnel list : to view the status of VPN tunnel either up or down
execute ping <IP_address>: to ping