ospf vpn fortigate -juniper

Author
Fullmoon
Platinum Member
  • Total Posts : 859
  • Scores: 13
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
2015/02/12 04:34:13 (permalink)
0

ospf vpn fortigate -juniper

pretty sure everyone done already site2site vpn bet juniper (small box) and fortigate.
heres my problem vpn interface mode working fine, however when we tried to setup ipsec vpn via ospf we cant see ospf in routing monitor. hope anyone here could post working config/screenshot of juniper and fortigate. thanks

Fortigate Newbie
#1

8 Replies Related Threads

    ashukla_FTNT
    Silver Member
    • Total Posts : 87
    • Scores: 7
    • Reward points: 0
    • Joined: 2015/02/02 04:25:16
    • Status: offline
    Re: ospf vpn fortigate -juniper 2015/02/12 05:22:13 (permalink)
    0
    Is the opsf neighborship coming up?
    Check the mtu of vpn interface on our side and juniper side (mostly our side will be 1436)
    I believe you are running ospf over ipsec.
     
    #2
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: ospf vpn fortigate -juniper 2015/02/12 07:14:33 (permalink)
    0
    The diag debug flow is your friend.
     
    Also just like with Fortigate , we are assuming the  juniper is in interface mode. Have you done a diag sniffer on the FGT and a traceoption on the SRX?
     
    e.g
     
      set security flow traceoptions file mybadtunnel
      set security flow traceoptions flag basic-datapath
      set security flow traceoptions packet-filter MatchTraffic source-prefi x.x.x.x/32 destination-prefix y.y.y.y/32
       commit

    ( x.x.x.x <>y.y.y.y ) would be your tunnel assigned address for the  ospf neighbors )
     
    and then review the trace;
     
        show log mybadtunnel
     
    You can get creative and execute shell and use tcpdump on the st.X interface also ;)
     
    Make sure you have define the ospf area correct and neighbors. These should be configured in a pt2pt vrs multicaccess.
     
     
     
     
     
    Ken
     
     
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #3
    Fullmoon
    Platinum Member
    • Total Posts : 859
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: ospf vpn fortigate -juniper 2015/02/16 17:40:18 (permalink)
    0
    Hi folks apology for late update. here's the ospf config of fortigate and juniper settings. ipsec vpn is working properly
    post edited by Fullmoon - 2015/02/16 18:09:13

    Attached Image(s)


    Fortigate Newbie
    #4
    Fullmoon
    Platinum Member
    • Total Posts : 859
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: ospf vpn fortigate -juniper 2015/02/16 17:43:48 (permalink)
    0
    juniper ospf

    Attached Image(s)


    Fortigate Newbie
    #5
    Fullmoon
    Platinum Member
    • Total Posts : 859
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: ospf vpn fortigate -juniper 2015/02/16 17:45:06 (permalink)
    0
    fortigate routing monitor
     

    Attached Image(s)


    Fortigate Newbie
    #6
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: ospf vpn fortigate -juniper 2015/02/16 23:14:38 (permalink)
    0
    Op, you really need to get a packet capture/traceoptions  on multicast group 224.0.0.5. If the hello/deadtime/mtu/auth/ospftype are mismatched , than it will clearly be present in the  pcap.
     
    On the fortigate you can't set the  mtu on a interface-ipsec. On the  juniper I would start by looking at the interface  mtu
     

    show interface <name> extensive detail

     
    and run a trace
     

    set protocol ospf traceoption file myospf
    set protocol ospf traceoption flag all

     
    But you need to get a pcap or trace, that would be your best for double checking if you have any of the above mismatches.
     
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #7
    ashukla_FTNT
    Silver Member
    • Total Posts : 87
    • Scores: 7
    • Reward points: 0
    • Joined: 2015/02/02 04:25:16
    • Status: offline
    Re: ospf vpn fortigate -juniper 2015/02/17 00:13:40 (permalink)
    0
    Following steps are required:
     
    On Fortigate:
    1)Make sure you are using 0.0.0.0 source and 0.0.0.0 destination quick mode selector in vpn
    2) Give an ip to tunnel interface:
         edit "(name of the tunnel interface to juniper)"
           
            set ip 192.168.1.1 255.255.255.252
            set allowaccess ping https ssh
            set type tunnel
            set remote-ip 192.168.1.2 (This ip should be assigned on Juniper tunnel interface)
           
    3) It is better to ignore mtu for ospf (if it is difficult to match mtu on both sides)
         config ospf-interface
                edit "xxx"
                    set interface "name of tunnel interface"
                    set mtu-ignore enable
                    set network-type point-to-point
     
    On Juniper:
     
    1) Quick mode selector is 0.0.0.0
    2) St interface ip is set to 192.168.1.2/255.255.255.252
    3) mtu-ignore enabled under ospf
    4) Make sure either host inbound traffic allows all or ospf on zone 
     
    If you still face the problem:
    get router info ospf neighbor 
    diagnose ip router ospf all
    diag debug enable
     
     
    Run similar traceoptions on SRX
     
    Though I am pretty sure if  you configure the above ospf should work.
    Also the reason we have to use 0.0.0.0 as quick mode selector because the ospf packet will come on Fortigate with source ip as tunnel interface ip of juniper which will not be part of quick mode selector so it will get dropped by flow.
    Juniper doesn't care about it though.
     
     
    #8
    Fullmoon
    Platinum Member
    • Total Posts : 859
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: ospf vpn fortigate -juniper 2015/02/17 20:55:06 (permalink)
    0
    Kudos to ashukla and to the rest of the forti expert for sharing their ideas. OSPF is now working ;-)
    post edited by Fullmoon - 2015/02/17 21:17:40

    Fortigate Newbie
    #9
    Jump to:
    © 2019 APG vNext Commercial Version 5.5