http://socpuppet.blogspot.com/2019/10/fortigate-to-juniper-srx-vpn-route.html
Here we have the Juniper SRX making a connection as "initiator" to a FortiGate as a "responder-only" and using certificates for authentication method. We are using IKEv2.
Since the fortigate is a responder, all traffic has to be initiated from the SRX side. Like previously,
I'm using getacert for the CSR signing and the same steps will apply here. In real life this would be your private CA or a certificates issued from a public-CA. You will always need to ensure the rootCA is imported into both the firewalls.
- draft csr for both the juniper and fortigate
- have the csr signed by the rootCA
- import the cert and rootCA-cert into the devices
- ensure your record the exact CN strings that are used in the certificates ( I will explain later )
junos
request security pki generate-key-pair size 2048 type rsa certificate-id srx300
request security pki generate-certificate-request certificate-id srx300 subject "CN= srx300" domain-name srx300.socpuppets.com
send the csr to your CA for signing and then copy the resulting certificate into the juniper SRXOnce you have the cert copied to the juniper, you will do the following
request security pki local-certificate load filename <filename of your x509 cert> certificate-id srx300
For the root ca you do the same thing but must use the following;
request security pki ca-certificate load filename < filename root CA > ca-profile getacert
If CRL is available in the rootCA you need to disable it for this ca-profileset security pki ca-profile getacert revocation-check disable
For the fortigate, just use the WebUI and craft a CSR and then submit that CSR and import it along with the cert into the fortigate.
System > Certificate
I broke the junos cfg down to ph1/ph2 and routing. You will also need a security policy for the permitted traffic which I did not show.
Fortigate side is less involved but the same details exist. You will need firewall policy for the permitted traffic.
One last item on the FGT we are using only the "ca cert" to validate the peer in the above example.
What this means, any cert issued by GETACERT would be honor. In reality, you would lock it down to the"cn" in the remote peer and the rootCA that signed that certificate. I will explain later on why.
So to lock it down, you would call the name CA cert and CN string of the peer. This combination will validate that peer and only if signed by that rootCA and if the certificate date is still validated.
I will speak more about this later and on why the 1st example was used and how it can help with troubleshooting.
Here's some show and diagnostic output of the Security-Associations.
junos
fortios
On trouble-shooting and when your dealing with certificate the rootCA and CN names act like the pre-shared key along with the certificate , if you may.
So in my case, I can controlled both end-points which make diagnostic real easy. In a real deployment, you might have a different fw-admin for one the remote-firewall.
So if the remote-fw-admin gives you the wrong "CN" or does not know it, if you use just the rootCA and blindly accept the certificate, you can then ascertain the "CN" after the peer has initiated. Then you can add that to your "config user peer" statement once known.
I worked a issues a few months back where we had a FGT1500 trying to authenticate to a openswan and the remote-fwadmin thought he used cn=XYZ.hisdomain1.com but in reality, he used cn=XYX.hisdomain2.com and they could never be authenticated.
I use the just the cert-CA for validation and "diag vpn ike gateway | grep CN", then I could explore the actual certificates CN field of the remote-firewall.
traceroute
Further diagnostic tips
junos
request security ike debug-enable remote <destination-gw address> local <local gw address>
review the kmd logs after enabling the above
file show /var/log/kmd*
PLEASE DISABLE THE DEBUG AFTER FINISHING YOUR COLLECTION
request security ike debug-disable
fortios
diag debug reset
diag debug enable
diag debug application ike -1
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment