GRE Tunnel Between Fortigate and Juniper SRX Firewall

Topology: 


Fortigate Firewall:

GRE Tunnel Configuration:

++++++++++++++++++++++++++++++++++++

 config system gre-tunnel
    edit "GRE-FG-SRX-TUN"
        set interface "port1"
        set remote-gw 192.168.0.106
        set local-gw 192.168.0.108
    next
end

++++++++++++++++++++++++++++++++++++ 

Interface Configuration:

++++++++++++++++++++++++++++++++++++ 

FG-01 (GRE-FG-SRX-TUN) # show
config system interface
    edit "GRE-FG-SRX-TUN"
        set vdom "root"
        set ip 2.2.2.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 2.2.2.1 255.255.255.0
        set snmp-index 4
        set interface "port1"
    next
end
++++++++++++++++++++++++++++++++++++

Static Route:

++++++++++++++++++++++++++++++++ 

# Manually added Route

 FG-01 # config router static

FG-01 (static) # show
config router static
      edit 1
        set dst 33.33.33.33 255.255.255.255
        set device "GRE-FG-SRX-TUN"
    next
end


++++++++++++++++++++++++++++++++ 

# Security Policy:

 config firewall policy
    edit 1
        set name "GRE_Allow"
        set uuid 436e5546-266c-51ec-00c3-776eb872b18d
        set srcintf "GRE-FG-SRX-TUN"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "14.140.40.0"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "GRE_outbound"
        set uuid 50189f40-266c-51ec-8250-c617f4b4e9d7
        set srcintf "port2"
        set dstintf "GRE-FG-SRX-TUN"
        set srcaddr "14.140.40.0"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
++++++++++++++++++++++++++++++++

# Route to remote GRE Tunnel IP added automatically 

FG-01 # get router info routing-table details
Routing table for VRF=0
C       2.2.2.0/30 is directly connected, GRE-FG-SRX-TUN (By default this will be added)
C       2.2.2.2/32 is directly connected, GRE-FG-SRX-TUN

GRE Tunnel Statistics:
++++++++++++++++++++++++++++++++

FG-01 # diagnose sys gre list

FG-01 # diagnose sys gre list
IPv4:
vd=0 devname=GRE-FG-SRX-TUN devindex=3 ifindex=14
saddr=192.168.0.108 daddr=192.168.0.106 rpdb=0 ref=0
key=0/0 flags=0/0 dscp-copy=0 diffservcode=000000
  rpdb-ver: ffffffff rpdb-gwy: 0.0.0.0 rpdb-oif: 0

total tunnel = 1
++++++++++++++++++++++++++++++++ 

Ping Test:

Session :

 

SRX Firewall:

Interface Config : 

++++++++++++++++++++++++++++++++ 

set interfaces gr-0/0/0 unit 0 tunnel source 192.168.0.106
set interfaces gr-0/0/0 unit 0 tunnel destination 192.168.0.108
set interfaces gr-0/0/0 unit 0 family inet address 2.2.2.1/30

++++++++++++++++++++++++++++++++ 

Assign GRE tunnel interface to respective Zone: 


++++++++++++++++++++++++++++++++

set security zones security-zone untrust interfaces gr-0/0/0.0

set security zones security-zone untrust interfaces ge-0/0/0.0

++++++++++++++++++++++++++++++++ 

Configure static route to remote network via GRE tunnel interface:

set routing-options static route 14.140.40.108/32 next-hop gr-0/0/0.0

Security policy to allow the traffic (untrust to untrust in my case):

++++++++++++++++++++++++++++++++ 

 set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match source-address any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match destination-address any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping match application any
set security policies from-zone untrust to-zone untrust policy untrust_allow_ping then permit
++++++++++++++++++++++++++++++++

Allow inbound traffic on Zone:

set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all

Ping Test

 

 Session Information:

 

    


YouTube video reference:  





Comments

Post a Comment

Popular posts from this blog

Configure IPsec site-to-site VPN in Linux Machine

Image
 Configure IPsec site-to-site VPN in Linux Machine: Update the system and install the package  apt update && sudo apt upgrade -y  apt install strongswan -y Check if the following kernel parameter is set or not sysctl net.ipv4.ip_forward=1 To list all configured parameters: sysctl -a root@ubuntu-server-main:~# sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.accept_redirects = 0 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.all.send_redirects = 0 root@ubuntu-server-main:~# Network Diagram: IPsec Config: Configure the PSK and update the VPN endpoints ++++++++++++++ cat /etc/ipsec.secrets # source      destination 192.168.0.2   192.168.0.108 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" ++++++++++++++ cat /etc/ipsec.conf: config setup         ch...
Read more

TACACS+ Installation on Linux [CentOS]

 TACACS+  Installation on CentOS: In the example below I will show you how to install tac_plus on a CentOS server. There’s a RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first: [root@server ~]# cd /etc/yum.repos.d/ [root@server yum.repos.d]# vim nux-misc.repo We will create a new repository file where we can grab tac_plus. This is what you should enter: [nux-misc] name=Nux Misc baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro Save the file and install tac_plus with the following command: [root@server ~]# yum --enablerepo=nux-misc install tac_plus That’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents: [root@server /]# vim /etc/tac_plus.conf You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see ...
Read more

Free Radius setup/configuration in Linux [Ubuntu/CentOS]

Free Radius setup/configuration in Linux [Ubuntu/CentOS]   1) Free RADIUS Client: CentOS:  yum install freeradius-utils Ubuntu: apt-get install freeradius-utils   2) Free RADIUS Server: Add the client device to free RADIUS server: i) vi /etc/freeradius/3.0/clients.conf  ii) Append below lines to the file above ############# client FortiGate-VM64-Xen {        ipaddr           = 192.168.0.108        secret           = testing123 } client sumit-linux-amp {        ipaddr           = 192.168.0.190        secret           = testing123 } #############   iii) Add users to the RADIUS server: Append below lines to the file "users" > vi /etc/freeradiu...
Read more