How to Configure Dial-up IPsec VPN from Fortinet FortiGate to Juniper SRX

This post is to document the process of configuring dynamic IPsec VPN from Juniper SRX to FortiGate Firewall, then configure OSPF over IPsec tunnel interfaces with a bit of OSPF route filtering.

Environment

1 x Fortinet FortiGate Firewall with dynamic WAN IP address

1 x Juniper SRX firewall with Static WAN IP address

Requirement is to configure Dynamic IPsec VPN (dial out VPN) and running OSPF over the IPsec VPN tunnel interfaces for the inter-site traffic

FortiGate FW dial up to Juniper SRX with defined local ID (Aggressive Mode)

Juniper SRX Configuration

====Configure Phase 1 proposal and policy====

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-policy-ICTFella mode aggressive
set security ike policy ike-policy-ICTFella proposals ike-phase1-proposal
set security ike policy ike-policy-ICTFella pre-shared-key ascii-text "ictfella.com"

====Configure Phase1 Gateway Configuration and refer to the Phase1 Proposal and Policy====

set security ike gateway ike-FORTI-JUNIP-via-ISP1 ike-policy ike-policy-ICTFella
set security ike gateway ike-FORTI-JUNIP-via-ISP1 dynamic hostname ICTFellaFORTIFW01 (accepting connection from Fortinet)
set security ike gateway ike-FORTI-JUNIP-via-ISP1 dead-peer-detection always-send
set security ike gateway ike-FORTI-JUNIP-via-ISP1 dead-peer-detection interval 10
set security ike gateway ike-FORTI-JUNIP-via-ISP1 dead-peer-detection threshold 3
set security ike gateway ike-FORTI-JUNIP-via-ISP1 external-interface reth1.22  (WAN port)

====Configure Phase 2 proposal and policy-======

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-policy-ICTFella proposals ipsec-phase2-proposal

======Configure Phase2 IPsec====

set security ipsec vpn ipsec-FORTI-JUNIP-via-ISP1 bind-interface st0.24
set security ipsec vpn ipsec-FORTI-JUNIP-via-ISP1 ike gateway ike-FORTI-JUNIP-via-ISP1
set security ipsec vpn ipsec-FORTI-JUNIP-via-ISP1 ike ipsec-policy ipsec-policy-ICTFella
set security ipsec vpn ipsec-FORTI-JUNIP-via-ISP1 establish-tunnels immediately

====set and add the tunnel interface into the new Security zone====

set interfaces st0 unit 24 family inet address 10.0.0.49/29
set security zones security-zone FORTI interfaces st0.24 host-inbound-traffic system-services ping
set security zones security-zone FORTI interfaces st0.24 host-inbound-traffic protocols ospf

====allow inter-site traffic====

set security policies from-zone FORTI to-zone JUNIP_Inside policy permit-JUNIP_Inside match source-address any
set security policies from-zone FORTI to-zone JUNIP_Inside policy permit-JUNIP_Inside match destination-address any
set security policies from-zone FORTI to-zone JUNIP_Inside policy permit-JUNIP_Inside match application any
set security policies from-zone FORTI to-zone JUNIP_Inside policy permit-JUNIP_Inside then permit

set security policies from-zone JUNIP_Inside to-zone FORTI policy permit-JUNIP_Inside2 match source-address any
set security policies from-zone JUNIP_Inside to-zone FORTI policy permit-JUNIP_Inside2 match destination-address any
set security policies from-zone JUNIP_Inside to-zone FORTI policy permit-JUNIP_Inside2 match application any
set security policies from-zone JUNIP_Inside to-zone FORTI policy permit-JUNIP_Inside2 then permit

===Enable OSPF and Enable the route-map filtering for OSPF advertisement===

set routing-options static route 0.0.0.0/0 next-hop x.x.x.x
set routing-options static route 172.16.0.0/24 next-hop 10.0.0.14
set routing-options router-id 10.0.0.1
set protocols ospf export into-ospf
set protocols ospf area 0.0.0.0 interface st0.24 metric 150

set policy-options policy-statement into-ospf term 10 from protocol direct
set policy-options policy-statement into-ospf term 10 then accept
set policy-options policy-statement into-ospf term 20 from protocol static
set policy-options policy-statement into-ospf term 20 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement into-ospf term 20 then reject
set policy-options policy-statement into-ospf term 30 from protocol static
set policy-options policy-statement into-ospf term 30 then accept

Fortinet FortiGate Configuration

====Remote Gateway====

====Authentication and IKE Configure: Aggressive mode – Accept Any Peer ID=====

==== Phase1 Proposal and define the local ID====

====Phase 2 Config====

====Allow inter-site Traffic====

====Config Tunnel Interface====

====Configure OSPF====

config router ospf
    set router-id 10.1.1.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "IPsec"
            set interface "IPSEC"
            set cost 150
            set mtu-ignore enable    (without this ospf will stuck at Exchange state)
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 10.0.0.0 255.255.255.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
        set status enable
        set routemap "RM_Static_to_OSPF"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end  
end  

====Route-map config to limit the routes out====

config router route-map
    edit "RM_Static_to_OSPF"
        config rule
            edit 1
                set match-ip-address "AL_Static_to_OSPF"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end

====Configure ACL to limit the route=====

config router access-list
    edit "AL_Static_to_OSPF"
        config rule
            edit 1
                set prefix 10.1.2.0 255.255.0.0
                set exact-match enable
            next
        end
    next
end

Useful link

https://supportportal.juniper.net/s/article/SRX-Configure-site-to-site-IPsec-VPN-where-remote-site-has-dynamic-IP-address-and-SRX-has-static-IP-address?language=en_US

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/621208/choosing-main-mode-or-aggressive-mode

Leave a Comment

Your email address will not be published. Required fields are marked *