Monday, September 9, 2013

VPN ikev2 Juniper to Fortigate ROUTE_VPN ( part#1 )

In this post we will look at a simple   VPN between a Fortigate running a 5.0.3 and Juniper running 12.1X44-D20.3

Here's the topology;




We will allow for all traffic between the 10.10.80.0/24 ( FGT ) to 10.98.10.0/24 ( SRX ). The models of gear involved;

Fortigate FWF60D
Juniper   SRX210H

1st, I want to upgrade my  Juniper to the following codeset.




After the upgrade and reboot, we start the the configuration.



Now let's begin;


 Let's define some proposal and policies;







Okay simple we are allowing for  AES128-256+sha1 and a ikepolicy "ike1" with PSK, using main mode. Now we bind the  policy to the  gateway entry. I called my gateway  fgtfwf60d.





NOTE: since we are doing  ikev2 we specify v2-only.

here's the cfg lines;

set security ike proposal ike-p1  authentication-method pre-shared-keys
set security ike proposal ike-p1  dh-group group5
set security ike proposal ike-p1  authentication-algorithm sha1
set security ike proposal ike-p1  encryption-algorithm aes-128-cbc
set security ike policy ike1 proposals ike-p1
set security ike policy ike1 pre-shared-key ascii-text S3cur3d1ty
#
#
set security ike gateway fgt-wf60d external-interface ge-0/0/0.0
set security ike gateway fgtfwf60d ike-policy ike1
set security ike gateway fgtfwf60d address 100.100.100.1

set security ike gateway fgtfwf60d version v2-only


Okay now lets create a tunnel interface. keep in mind this is a route-base VPN, so that means we have a "route" to get to the remote network or we using a routing protocol over the vpn. The alternative, is a "policy" based vpn. And that means just that, we deploy a firewall policy.



And the corresponding configurations;

set interfaces st0.0 unit family inet 
set security zones security-zone untrust-ipsec interfaces st0.0
set routing-options static  route 10.10.80.0/24 next-hop st0.0


I want to stop and explain the config up to  this point;


  1. we've defined our IKE proposal & policies
  2. we've bound these to a gateway named fgtfwf60d
  3. we crafted a virtual interface named   st0 and applied it in a  security zone 
  4. we have a "routed" install to reach the right-subnet

So the last part; we must have fwpolicies to allow traffic from the local to remote networks.

So here's the final configurations;

set security zones security-zone remotevpn01 interfaces st0.0
set security zones security-zone remotevpn01 address-book address REM01 10.10.80.0/24
set security zones security-zone trust address-book address LAN01 10.98.10.0/24


fwpolicy


It's a good ideal to tcp-adjust ipsec traffic aka mss-clamping.

set security flow tcp-mss ipsec-vpn  mss 1360


Ipsec will have some over head, so the  overall tcp traffic mss value needs to be reduce for this overhead.

( stay tuned, we look at the  FGT side of things next  in part 2 )


Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

2 comments:

  1. you forgot to mention the ipsec proposal

    ReplyDelete
  2. Yes, & in my case the standard proposal set ( basic ) was already configured in the unit.

    ReplyDelete