Monday, September 9, 2013

VPN ikev2 Juniper to Fortigate ROUTE_VPN ( part#1 )

In this post we will look at a simple   VPN between a Fortigate running a 5.0.3 and Juniper running 12.1X44-D20.3

Here's the topology;

We will allow for all traffic between the ( FGT ) to ( SRX ). The models of gear involved;

Fortigate FWF60D
Juniper   SRX210H

1st, I want to upgrade my  Juniper to the following codeset.

After the upgrade and reboot, we start the the configuration.

Now let's begin;

 Let's define some proposal and policies;

Okay simple we are allowing for  AES128-256+sha1 and a ikepolicy "ike1" with PSK, using main mode. Now we bind the  policy to the  gateway entry. I called my gateway  fgtfwf60d.

NOTE: since we are doing  ikev2 we specify v2-only.

here's the cfg lines;

set security ike proposal ike-p1  authentication-method pre-shared-keys
set security ike proposal ike-p1  dh-group group5
set security ike proposal ike-p1  authentication-algorithm sha1
set security ike proposal ike-p1  encryption-algorithm aes-128-cbc
set security ike policy ike1 proposals ike-p1
set security ike policy ike1 pre-shared-key ascii-text S3cur3d1ty
set security ike gateway fgt-wf60d external-interface ge-0/0/0.0
set security ike gateway fgtfwf60d ike-policy ike1
set security ike gateway fgtfwf60d address

set security ike gateway fgtfwf60d version v2-only

Okay now lets create a tunnel interface. keep in mind this is a route-base VPN, so that means we have a "route" to get to the remote network or we using a routing protocol over the vpn. The alternative, is a "policy" based vpn. And that means just that, we deploy a firewall policy.

And the corresponding configurations;

set interfaces st0.0 unit family inet 
set security zones security-zone untrust-ipsec interfaces st0.0
set routing-options static  route next-hop st0.0

I want to stop and explain the config up to  this point;

  1. we've defined our IKE proposal & policies
  2. we've bound these to a gateway named fgtfwf60d
  3. we crafted a virtual interface named   st0 and applied it in a  security zone 
  4. we have a "routed" install to reach the right-subnet

So the last part; we must have fwpolicies to allow traffic from the local to remote networks.

So here's the final configurations;

set security zones security-zone remotevpn01 interfaces st0.0
set security zones security-zone remotevpn01 address-book address REM01
set security zones security-zone trust address-book address LAN01


It's a good ideal to tcp-adjust ipsec traffic aka mss-clamping.

set security flow tcp-mss ipsec-vpn  mss 1360

Ipsec will have some over head, so the  overall tcp traffic mss value needs to be reduce for this overhead.

( stay tuned, we look at the  FGT side of things next  in part 2 )

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
       /     \


  1. you forgot to mention the ipsec proposal

  2. Yes, & in my case the standard proposal set ( basic ) was already configured in the unit.