Tuesday, September 10, 2013

VPN ikev2 Juniper to Fortigate ROUTE_VPN ( parte2 )

In part1, we looked at the Juniper SRX and in this part we will explore the  Fortigate side of thing in regards to configurating a site2site vpn.

http://socpuppet.blogspot.com/2013/09/vpn-ikev2-juniper-to-fortigate-routevpn.html

The fortigate series like the juniper, also supports routed & policy based vpns. And to repeat; "a routed based vpn, has a route .....duh " :)



So 1st off let's look at the based of the configuration;



I flagged some parts of the configuration.


1st we are issuing a single proposal AES128/SHA1 that matches the proposal that was used on the Juniper. The reason for a single proposals; " we don't need to offer multiple proposal in a static L2Lvpn ( aka site2site vpn ) when we have 2 consenting  vpn devices.

By being deterministic and apply the  proper cipher and authentication methods for your VPNs, you eliminate possible issues.


It blows my mine when I see firewall engineers offering like  1+ proposals in a site2site VPN solution. Unless the vpn is for a dynamic client,   & where the  "clients" are possible unknown, we should defined exactly the proposal we should expect from our peer.

Next, the typical default offering of the proxy-id ( quick mode selectors ),  are to deploy the quick and easy  "0.0.0.0/0 proto 0" ,  but I never do that in a routed based vpn, even when doing this to another fortigate.

That's being lazy and in some firewall appliances  ( cisco, openswan, checkpoint,etc.....) that would cause problems later on.  Define the "exact" subnets for the local and remote networks between the peers.

And finally, the above solution needs a route installed and pointed at the named phase1 gateway. IN my case, I named it simply "SRX".

 And lastly ( not shown ) you need a fwpolicy to allow traffic to & from the vpn tunnel interface.



Yeap,

That's all that you need for a site2site vpn between a SRX to Fortigate. In this setup we are using IKEv2 which offers a few additional benefits over version1. One other key critical part that should be mention for IKEv2;  "during negotiation, only one DH-group should be installed "




As I stated above, "install one proposal, and only one proposal", save yourself the frustration.


Advantages in IKEv2;

  •  It's quicker in setup (less messages  overall )
  •  Can support unique authentication  parameters  ( different PSKs  for both local & remote and even intermingle PSK with Certificate  is supported )
  • No more confusion as to if I need  "aggressive or main mode"
  • both Juniper & Fortinet has support IKEv2 for the longest ( cisco just recently add support around ASA8.4 and the IOS routers have had it supported way before the ASA )

In part#3, we will look at some diagnostic steps and commands between the 2 chassis ( SRX and Fortigate FGT )

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

No comments:

Post a Comment