• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1410
  • Last Modified:

Routing from Juniper LAN subnet to Fortigate 200B IPSec VPN subnets

I have a Fortigate200B in place which is used for IPSec VPN towards 50 locations.
Recently, I have set up a Juniper SRX240 with a new subnet, to be used for the office network.
I configured one interface on SRX240 with and connected it to a switch interface
on FGT200B which uses
The idea is to set up routing from the Juniper LAN subnet to different subnets behind FGT VPN.
I have setup the subnet on Juniper LAN, Fortigate uses for VPN subnets.
The old office LAN subnet on FGT200B is
I created static routes for routing between subnets and firewall zones/policies.
When I go to Troubleshoot/Ping Host in J-Web config I can succesfully ping IP addresses on FGT VPN subnets
and the old office subnet.
But, when I try to ping from a PC on the new Juniper LAN subnet I cannot get to the VPN subnets.
Here is the output of my routing table on SRX240:
show route terse
inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A Destination P Prf Metric 1 Metric 2 Next hop AS path
* S 5 >
* D 0 >ge-0/0/0.0
* L 0 Local
* D 0 >vlan.0
* L 0 Local
* S 5 >
* D 0 >ge-0/0/2.0
S 5 >
* L 0 Local
Here is the output of my interfaces configuration:
show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
sp-0/0/0.16383 up up inet --> --> 0/0 --> --> 0/0
ge-0/0/1 up up
ge-0/0/1.0 up up eth-switch
ge-0/0/2 up up
ge-0/0/2.0 up up inet
ge-0/0/3 up down
ge-0/0/3.0 up down eth-switch
ge-0/0/4 up down
ge-0/0/4.0 up down eth-switch
ge-0/0/5 up down
ge-0/0/5.0 up down eth-switch
ge-0/0/6 up down
ge-0/0/6.0 up down eth-switch
ge-0/0/7 up down
ge-0/0/7.0 up down eth-switch
ge-0/0/8 up down
ge-0/0/8.0 up down eth-switch
ge-0/0/9 up down
ge-0/0/9.0 up down eth-switch
ge-0/0/10 up down
ge-0/0/10.0 up down eth-switch
ge-0/0/11 up down
ge-0/0/11.0 up down eth-switch
ge-0/0/12 up down
ge-0/0/12.0 up down eth-switch
ge-0/0/13 up down
ge-0/0/13.0 up down eth-switch
ge-0/0/14 up down
ge-0/0/14.0 up down eth-switch
ge-0/0/15 up down
ge-0/0/15.0 up down eth-switch
fxp2 up up
fxp2.0 up up tnp 0x1
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet --> 0/0
lo0.16385 up up inet --> 0/0 --> 0/0 --> 0/0 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up up
vlan.0 up up inet
What am I missing?
  • 5
  • 2
3 Solutions
The SRX is a firewall, are you allowing the traffic through?
proteus-IVAuthor Commented:
Yes, a Juniper support enginneer connected to it and checked the config.
He told me that everything is setup correctly and that FGT200B is blocking
traffic towards VPN subnets.
Your FG needs to have a static route for with next hop

The FG also, of course, needs to allow that traffic.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

proteus-IVAuthor Commented:
I had to add static routes and FW policies on all remote FGT units.
proteus-IVAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for proteus-IV's comment #a38794497

for the following reason:

Other comments were not the solution.
Does comment 38761981 not give the same result.

If it is then please award points
proteus-IVAuthor Commented:
I had already added the static route with next hop and FW policies to allow traffic on FGT200B, but I also had too add a static route on all remote FGT units behind IPSec VPN tunnels to allow traffic to subnet and add FW policies.
proteus-IVAuthor Commented:
Solutions provided were incomplete.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now