Here's the topology;
We will allow for all traffic between the 10.10.80.0/24 ( FGT ) to 10.98.10.0/24 ( SRX ). The models of gear involved;
Fortigate FWF60D
Juniper SRX210H
1st, I want to upgrade my Juniper to the following codeset.
After the upgrade and reboot, we start the the configuration.
Now let's begin;
Let's define some proposal and policies;
Okay simple we are allowing for AES128-256+sha1 and a ikepolicy "ike1" with PSK, using main mode. Now we bind the policy to the gateway entry. I called my gateway fgtfwf60d.
NOTE: since we are doing ikev2 we specify v2-only.
here's the cfg lines;
set security ike proposal ike-p1 authentication-method pre-shared-keys
set security ike proposal ike-p1 dh-group group5
set security ike proposal ike-p1 authentication-algorithm sha1
set security ike proposal ike-p1 encryption-algorithm aes-128-cbc
set security ike policy ike1 proposals ike-p1
set security ike policy ike1 pre-shared-key ascii-text S3cur3d1ty
set security ike gateway fgt-wf60d external-interface ge-0/0/0.0
set security ike gateway fgtfwf60d ike-policy ike1
set security ike gateway fgtfwf60d address 100.100.100.1
set security ike gateway fgtfwf60d version v2-only
Okay now lets create a tunnel interface. keep in mind this is a route-base VPN, so that means we have a "route" to get to the remote network or we using a routing protocol over the vpn. The alternative, is a "policy" based vpn. And that means just that, we deploy a firewall policy.
And the corresponding configurations;
set interfaces st0.0 unit family inet
set security zones security-zone untrust-ipsec interfaces st0.0
set routing-options static
route 10.10.80.0/24 next-hop st0.0
- we've defined our IKE proposal & policies
- we've bound these to a gateway named fgtfwf60d
- we crafted a virtual interface named st0 and applied it in a security zone
- we have a "routed" install to reach the right-subnet
So the last part; we must have fwpolicies to allow traffic from the local to remote networks.
So here's the final configurations;
set security zones security-zone remotevpn01 interfaces st0.0
set security zones security-zone remotevpn01 address-book address REM01 10.10.80.0/24
set security zones security-zone trust address-book address LAN01 10.98.10.0/24
fwpolicy
set security flow tcp-mss ipsec-vpn mss 1360
Ipsec will have some over head, so the overall tcp traffic mss value needs to be reduce for this overhead.
( stay tuned, we look at the FGT side of things next in part 2 )
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
you forgot to mention the ipsec proposal
ReplyDeleteYes, & in my case the standard proposal set ( basic ) was already configured in the unit.
ReplyDelete