http://socpuppet.blogspot.com/2013/09/vpn-ikev2-juniper-to-fortigate-routevpn.html
The fortigate series like the juniper, also supports routed & policy based vpns. And to repeat; "a routed based vpn, has a route .....duh " :)
So 1st off let's look at the based of the configuration;
I flagged some parts of the configuration.
1st we are issuing a single proposal AES128/SHA1 that matches the proposal that was used on the Juniper. The reason for a single proposals; " we don't need to offer multiple proposal in a static L2Lvpn ( aka site2site vpn ) when we have 2 consenting vpn devices.
By being deterministic and apply the proper cipher and authentication methods for your VPNs, you eliminate possible issues.
It blows my mine when I see firewall engineers offering like 1+ proposals in a site2site VPN solution. Unless the vpn is for a dynamic client, & where the "clients" are possible unknown, we should defined exactly the proposal we should expect from our peer.
Next, the typical default offering of the proxy-id ( quick mode selectors ), are to deploy the quick and easy "0.0.0.0/0 proto 0" , but I never do that in a routed based vpn, even when doing this to another fortigate.
That's being lazy and in some firewall appliances ( cisco, openswan, checkpoint,etc.....) that would cause problems later on. Define the "exact" subnets for the local and remote networks between the peers.
And finally, the above solution needs a route installed and pointed at the named phase1 gateway. IN my case, I named it simply "SRX".
And lastly ( not shown ) you need a fwpolicy to allow traffic to & from the vpn tunnel interface.
Yeap,
That's all that you need for a site2site vpn between a SRX to Fortigate. In this setup we are using IKEv2 which offers a few additional benefits over version1. One other key critical part that should be mention for IKEv2; "during negotiation, only one DH-group should be installed "
As I stated above, "install one proposal, and only one proposal", save yourself the frustration.
Advantages in IKEv2;
- It's quicker in setup (less messages overall )
- Can support unique authentication parameters ( different PSKs for both local & remote and even intermingle PSK with Certificate is supported )
- No more confusion as to if I need "aggressive or main mode"
- both Juniper & Fortinet has support IKEv2 for the longest ( cisco just recently add support around ASA8.4 and the IOS routers have had it supported way before the ASA )
In part#3, we will look at some diagnostic steps and commands between the 2 chassis ( SRX and Fortigate FGT )
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment