IPsec Site-to-Site VPN FortiGate <-> Juniper SSG

Here comes the step-by-step guide for building a site-to-site VPN between a FortiGate and a ScreenOS firewall. Not much to say. I am publishing several screenshots and CLI listings of both firewalls, along with an overview of my laboratory.

The devices tested are a Juniper SSG 5 (6.3.0r18.0) and a FortiWiFi 90D (v5.2.2).

Lab

The following figure shows the lab I used for this test:

FortiGate

The FortiGate firewall is configured in the following way. See the image descriptions for more details.

New IPsec tunnel (Custom VPN Tunnel) with the IP address of the other endpoint and the own interface.

The PSK and IKE version 1 in main mode.

Phase 1 proposals. I am always using a single entry with strong crypto algorithms.

Phase 2 selectors: The 0.0.0.0 as proxy-id can be kept while the crypto algorithms can be set as shown.

The new tunnel-interface should be moved in an additional zone, e.g., vpn-s2s.

Finally, a static route to the remote site through the tunnel-interface.

Juniper SSG

Similar for the ScreenOS device.

New unnumbered tunnel-interface. The interface chosen on the “unnumbered” section should be the one for which traffic is tunneled later on.

Phase 1 Proposal.

Phase 2 Proposal.

New Gateway with the IP address of the FortiGate firewall.

Gateway Advanced: PSK, Phase 1 proposal, and Dead Peer Detection.

AutoKey IKE: Simply choosing the just added gateway.

AutoKey IKE Advanced: Phase 2 proposal, binding to tunnel-interface, and VPN Monitor (if needed).

Finally, the new static route to the remote site through the tunnel-interface.

Monitoring

If everything is configured correctly, the following menus should reveal the established VPN tunnel:

IPsec Monitor on the FortiGate.

Monitor Status on the SSG.

Alternatively, the CLI can be used:
FortiGate:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

fd-wv-fw04 # get vpn ike gateway fd-wv-fw01   vd: root/0 name: fd-wv-fw01 version: 1 interface: wan1 6 addr: 172.16.1.6:500 -> 172.16.1.1:500 created: 1886922s ago IKE SA  created: 1/68  established: 1/68  time: 140/244/6150 ms IPsec SA  created: 1/529  established: 1/529  time: 110/122/440 ms     id/spi: 20197 a6a2bf730478549d/e93ba6ca5b3a76ec   direction: initiator   status: established 5906-5906s ago = 160ms   proposal: aes-256-sha256   key: a3ec5594ba99c237-d02094bfbcd1c68f-b25a658df5746916-e0f5a096a9b9369c   lifetime/rekey: 28800/22593   DPD sent/recv: 00066514/0117eef0   fd-wv-fw04 # fd-wv-fw04 # fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-fw01   gateway   name: 'fd-wv-fw01'   type: route-based   local-gateway: 172.16.1.6:0 (static)   remote-gateway: 172.16.1.1:0 (static)   mode: ike-v1   interface: 'wan1' (6)   rx  packets: 323771  bytes: 8332412  errors: 0   tx  packets: 323773  bytes: 8298620  errors: 0   dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0   selectors     name: 'blubb'     auto-negotiate: disable     mode: tunnel     src: 0:0.0.0.0/0.0.0.0:0     dst: 0:0.0.0.0/0.0.0.0:0     SA       lifetime/rekey: 3600/611       mtu: 1438       tx-esp-seq: 129       replay: enabled       inbound         spi: c97b0cfd         enc:     aes  362214859c31f1645aef153ffcf13be2749f67053a3b9f13eb6db9970b6ae9d8         auth: sha256  8be7f22b93143a38fe83514f535a6d2eeefabe62275dafc5311f3cff78b0037b       outbound         spi: f41f6f7d         enc:     aes  f3987da624db8f11b31ac0a80bd1e0d3de1c05e81865b6bf312e64c51716901b         auth: sha256  fce036c0b772216a34ef068cea7f29c31c5778b1b546131b31394775b91ebae4       NPU acceleration: encryption(outbound) decryption(inbound)

SSG:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

fd-wv-fw01-> get ike cookies   IKEv1 SA -- Active: 10, Dead: 0, Total 10   80102f/0003, 172.16.1.6:500->172.16.1.1:500, PRESHR/grp14/AES256/SHA2-256, xchg(5) (fd-wv-fw04/grp-1/usr-1) resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 23327 cert-expire 0 responder, err cnt 0, send dir 1, cond 0x0 nat-traversal map not available ike heartbeat              : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0 XAUTH status: 0 DPD seq local 18345669, peer 419049   fd-wv-fw01-> fd-wv-fw01-> fd-wv-fw01-> get sa id 0x0000000e index 7, name fd-wv-fw04, peer gateway ip 172.16.1.6. vsys auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 14, peer id 7, NSRP Local.     site-to-site. Local interface is ethernet0/6 <172.16.1.1>.   esp, group 14, a256 encryption, s256 authentication   autokey, IN active, OUT active   monitor<1>, latency: 1, availability: 100   DF bit: clear   app_sa_flags: 0x24001a7   proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0/0   ike activity timestamp: 1882685177   DSCP-mark : disabled nat-traversal map not available incoming: SPI f41f6f87, flag 00004000, tunnel info 4000000e, pipeline   life 3600 sec, 2869 remain, 0 kb, 0 bytes remain   anti-replay on, last 0x49, window 0xffffffff, idle timeout value <0>, idled 6 seconds   next pak sequence number: 0x0   bytes/paks:8280316/188189; sw bytes/paks:8280316/188189 outgoing: SPI c97b0d00, flag 00000000, tunnel info 4000000e, pipeline   life 3600 sec, 2869 remain, 0 kb, 0 bytes remain   anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 6 seconds   next pak sequence number: 0x49   bytes/paks:8303592/188718; sw bytes/paks:8303592/188718