In this post I will demo a simple RSA signature based vpn between a FGT and Juniper Device. Again I used "getacert" to sign certificates for the FGT and SRX devices.
I will demo a CSR request from a Junos SRC since it requires a few items that must be done.
1: you need to define a priv-key. You will need to determine the key pair name and size
request security pki generate-key-pair size 2048 type rsa certificate-id junipersrx
e.g
kfelix@BROOKLYN> request security pki generate-key-pair size 1024 type rsa certificate-id newksc
Generated key pair newksc, key size 1024 bits
kfelix@BROOKLYN> request security pki generate-certificate-request certificate-id newksc subject "CN=newksc,L=Austin,ST=TEXAS,C=US" domain-name vpn.socpuppets.com
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIBrzCCARgCAQAwPzEPMA0GA1UEAxMGbmV3a3NjMQ8wDQYDVQQHEwZBdXN0aW4x
DjAMBgNVBAgTBVRFWEFTMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAvGQnXlevHoXmnyyCpOFo1BmwjxspGygXONqCfOKLlAFA5fqO3nMj
gozVK5rlLPuDT3Vz/VQRpV2efq5rsHG2RKLDx6Om9obpSHhQhQvVHYlGJldTnZt/
IhDQ6QmOmOsI8hODQ9Em+ygh8aOxTPkoCu2k4t0huUrFhFHMp2pPwyECAwEAAaAw
MC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0RBBYwFIISdnBuLnNvY3B1cHBldHMuY29t
MA0GCSqGSIb3DQEBBQUAA4GBAJDq1t5WHdlWrr1UoHgDX/IFlorTjj4X0F6yrAYB
W6E6HP5ch58+uRcjGMhxXCTCaBKCwfQK2K5OU/pPj0hnVk01BGHIREmWIFeTgYOR
/ztEKR2r7IofP3s/WduiG2qmJPPt1tOXzX8HmPXzfCGceGgdYUdstsJuYCgo0g59
bNwx
-----END CERTIFICATE REQUEST-----
Fingerprint:
0a:ab:39:05:4c:35:2c:48:ee:89:33:57:22:e1:62:77:21:d5:88:8f (sha1)
00:ce:6b:e5:fe:95:d4:91:fc:f4:ee:d4:70:7e:48:79 (md5)
3: Send the CSR off to your CA for signing and scp it into the juniper. You should import the cert and CA-cert into the system at the same time
4: You load the certificate with the follow command
e.g
request security pki local-certificate load filename <certfilename>
request security pki ca-certificate load filename < ca cert filename>
5: Once you have your respective certificates loaded you can start the IPSEC cfg. Here's the fgt cfg
I 'm using a peer-type of any for the FGT
6: Junos is a little bit the same, just more steps but here's our IKE/IPsec configurations
I defined matching TS for the local/remote subnets within the encryption domain. I also set DN for determining the local and remote-id. I will speak more about the DN and wildcards
For Junos since it uses a central-nat table, we want to do a NONAT rules and ensure this rule is at the top of the list.
e.g
You would also need a static route thru the defined tunnel.
Okay outside of security-policies we should see the tunnel up and can gather details.
FGT phase1 { diag vpn ike gateway }
FGT phase2 { diag vpn tunnel list }
Juniper Phase1 { show security ike security-associations }
For troubleshooting use the JunOS checklist section route-based
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21781&actp=METADATA#IpsecRouteBased
For troubleshooting FortiOS
diag vpn tunnel list
diag vpn ike gateaway
diag debug application ike -1
Items to review;
- ensure the ca-certificate is installed
- ensure the certificates are not expired
- ensure the CN is correct in the configurations in JunOS and FortiOS
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \