Route Based IPsec VPN between Fortigate and Juniper SRX Firewall

Topology:

 

Fortigate Configuration:

Phase1:

 config vpn ipsec phase1-interface
    edit "OSPF-over-ipsec"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal des-sha1
        set dhgrp 2
        set remote-gw 192.168.0.106
        set psksecret ENC abcd
    next
end

Phase2:

config vpn ipsec phase2-interface
    edit "OSPF-over-ipsec"
        set phase1name "OSPF-over-ipsec"
        set proposal des-sha1
        set pfs disable
    next
end

Policy:

config firewall policy
    edit 5
        set name "ipsec"
        set uuid a36a619c-32ec-51ec-8ce8-dbe87b1799e5
        set srcintf "OSPF-over-ipsec"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 6
        set uuid ac638986-32ec-51ec-2ed6-5f9cceb06d2b
        set srcintf "port2"
        set dstintf "OSPF-over-ipsec"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments " (Copy of ipsec) (Reverse of ipsec)"
    next

Route:

config router static
       edit 1
        set dst 33.33.33.33 255.255.255.255
        set device "OSPF-over-ipsec"
    next
end

SRX Configuration:

Phase 1:

set security ike proposal P1_proposal description Phase1_proposal
set security ike proposal P1_proposal authentication-method pre-shared-keys
set security ike proposal P1_proposal dh-group group2
set security ike proposal P1_proposal authentication-algorithm sha1
set security ike proposal P1_proposal encryption-algorithm des-cbc
set security ike proposal P1_proposal lifetime-seconds 86400
set security ike policy Phase1 mode main
set security ike policy Phase1 proposals P1_proposal
set security ike policy Phase1 pre-shared-key ascii-text "$9$vIIM7Vg4ZjkPJGUikqf5IEhrM8"
set security ike gateway Phase1_gateway ike-policy Phase1
set security ike gateway Phase1_gateway address 192.168.0.108
set security ike gateway Phase1_gateway dead-peer-detection probe-idle-tunnel
set security ike gateway Phase1_gateway external-interface ge-0/0/0
set security ike gateway Phase1_gateway local-address 192.168.0.106
set security ike gateway Phase1_gateway version v1-only

Phase 2:

set security ipsec proposal Phase2-proposal protocol esp
set security ipsec proposal Phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal Phase2-proposal encryption-algorithm des-cbc
set security ipsec proposal Phase2-proposal lifetime-seconds 43200
set security ipsec policy Phase2_policy proposals Phase2-proposal
set security ipsec vpn ospf-over-ipsec bind-interface st0.0
set security ipsec vpn ospf-over-ipsec ike gateway Phase1_gateway
set security ipsec vpn ospf-over-ipsec ike ipsec-policy Phase2_policy

Route:

set routing-options static route 14.140.40.108/32 next-hop st0.0

Policy:

Allow policy from Untust to Untrsut

Tunnel status:

FG:

                                               

 

SRX:

 
 

Comments

Post a Comment

Popular posts from this blog

Configure IPsec site-to-site VPN in Linux Machine

Image
 Configure IPsec site-to-site VPN in Linux Machine: Update the system and install the package  apt update && sudo apt upgrade -y  apt install strongswan -y Check if the following kernel parameter is set or not sysctl net.ipv4.ip_forward=1 To list all configured parameters: sysctl -a root@ubuntu-server-main:~# sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.accept_redirects = 0 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.all.send_redirects = 0 root@ubuntu-server-main:~# Network Diagram: IPsec Config: Configure the PSK and update the VPN endpoints ++++++++++++++ cat /etc/ipsec.secrets # source      destination 192.168.0.2   192.168.0.108 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" ++++++++++++++ cat /etc/ipsec.conf: config setup         charondebug="all"         uniqueids=yes  
Read more

TACACS+ Installation on Linux [CentOS]

 TACACS+  Installation on CentOS: In the example below I will show you how to install tac_plus on a CentOS server. There’s a RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first: [root@server ~]# cd /etc/yum.repos.d/ [root@server yum.repos.d]# vim nux-misc.repo We will create a new repository file where we can grab tac_plus. This is what you should enter: [nux-misc] name=Nux Misc baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro Save the file and install tac_plus with the following command: [root@server ~]# yum --enablerepo=nux-misc install tac_plus That’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents: [root@server /]# vim /etc/tac_plus.conf You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is a key,
Read more

Free Radius setup/configuration in Linux [Ubuntu/CentOS]

Free Radius setup/configuration in Linux [Ubuntu/CentOS]   1) Free RADIUS Client: CentOS:  yum install freeradius-utils Ubuntu: apt-get install freeradius-utils   2) Free RADIUS Server: Add the client device to free RADIUS server: i) vi /etc/freeradius/3.0/clients.conf  ii) Append below lines to the file above ############# client FortiGate-VM64-Xen {        ipaddr           = 192.168.0.108        secret           = testing123 } client sumit-linux-amp {        ipaddr           = 192.168.0.190        secret           = testing123 } #############   iii) Add users to the RADIUS server: Append below lines to the file "users" > vi /etc/freeradius/3.0/users #############  sumit1 Cleartext-Password := "password" sumit2 Cleartext-Password := "password"   #############   iv) restart the free RADIUS services: Ubuntu: > systemctl restart freeradius   CentOS: >  systemctl restart freeradius                   > sudo firewall-cmd --add-service={http,https,ra
Read more