Tuesday, October 15, 2019

Fortigate FGT to Juniper SRX vpn route-based with RSA signatures dynamic end-point

In this post I will demo a simple  RSA signature based vpn between a  FGT and Juniper Device. Again I used  "getacert"  to sign certificates for the FGT and SRX devices.

I will demo a CSR request from a Junos SRC since it requires a few items that must be done.

1: you need to define a priv-key. You will need to determine the key pair name and size


   request security pki generate-key-pair size 2048 type rsa certificate-id junipersrx

e.g

kfelix@BROOKLYN> request security pki generate-key-pair size 1024 type rsa certificate-id newksc 

Generated key pair newksc, key size 1024 bits


kfelix@BROOKLYN> request security pki generate-certificate-request certificate-id newksc subject "CN=newksc,L=Austin,ST=TEXAS,C=US" domain-name vpn.socpuppets.com 
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIBrzCCARgCAQAwPzEPMA0GA1UEAxMGbmV3a3NjMQ8wDQYDVQQHEwZBdXN0aW4x
DjAMBgNVBAgTBVRFWEFTMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAvGQnXlevHoXmnyyCpOFo1BmwjxspGygXONqCfOKLlAFA5fqO3nMj
gozVK5rlLPuDT3Vz/VQRpV2efq5rsHG2RKLDx6Om9obpSHhQhQvVHYlGJldTnZt/
IhDQ6QmOmOsI8hODQ9Em+ygh8aOxTPkoCu2k4t0huUrFhFHMp2pPwyECAwEAAaAw
MC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0RBBYwFIISdnBuLnNvY3B1cHBldHMuY29t
MA0GCSqGSIb3DQEBBQUAA4GBAJDq1t5WHdlWrr1UoHgDX/IFlorTjj4X0F6yrAYB
W6E6HP5ch58+uRcjGMhxXCTCaBKCwfQK2K5OU/pPj0hnVk01BGHIREmWIFeTgYOR
/ztEKR2r7IofP3s/WduiG2qmJPPt1tOXzX8HmPXzfCGceGgdYUdstsJuYCgo0g59
bNwx
-----END CERTIFICATE REQUEST-----
Fingerprint:
0a:ab:39:05:4c:35:2c:48:ee:89:33:57:22:e1:62:77:21:d5:88:8f (sha1)

00:ce:6b:e5:fe:95:d4:91:fc:f4:ee:d4:70:7e:48:79 (md5)

3: Send the  CSR off to your CA for signing and scp it into the juniper. You should import the cert and CA-cert into the system at the same time


4: You load the certificate with the follow command

e.g

request security pki local-certificate load filename <certfilename>
request security pki ca-certificate load filename < ca cert filename>




5:  Once you have your respective certificates loaded you can start the IPSEC cfg. Here's the fgt cfg




I 'm using a peer-type  of any for the FGT


6: Junos is a little bit the same,  just more steps but here's our IKE/IPsec configurations



I defined matching TS for the local/remote subnets within the encryption domain. I also set  DN for determining the local and remote-id. I will speak more about the DN and wildcards


For Junos since it uses a  central-nat table, we want to do a NONAT rules and ensure this rule is at the top of the list.

e.g




You would also need a static route thru the defined tunnel.




Okay outside of security-policies we should see the tunnel up and can gather details.


FGT phase1 { diag vpn ike gateway }




FGT phase2 { diag vpn tunnel list  }




Juniper Phase1 {  show security ike security-associations }



For troubleshooting use the JunOS checklist section route-based

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21781&actp=METADATA#IpsecRouteBased

For troubleshooting FortiOS

diag vpn tunnel list
diag vpn ike gateaway
diag debug application ike -1



Items to review;


  • ensure the ca-certificate is installed
  • ensure the certificates are not expired
  • ensure the CN is correct in the configurations in JunOS and FortiOS










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at  No comments: 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)