Solved

Routing from Juniper LAN subnet to Fortigate 200B IPSec VPN subnets

Posted on 2013-01-09
8
1,274 Views
Last Modified: 2013-01-23
I have a Fortigate200B in place which is used for IPSec VPN towards 50 locations.
Recently, I have set up a Juniper SRX240 with a new subnet, to be used for the office network.
I configured one interface on SRX240 with 192.168.1.153/24 and connected it to a switch interface
on FGT200B which uses 192.168.1.150/24.
The idea is to set up routing from the Juniper LAN subnet to different subnets behind FGT VPN.
 
I have setup the subnet 172.16.3.0/24 on Juniper LAN, Fortigate uses 192.168.0.0/16 for VPN subnets.
The old office LAN subnet on FGT200B is 192.168.1.0/24.
I created static routes for routing between subnets and firewall zones/policies.
 
When I go to Troubleshoot/Ping Host in J-Web config I can succesfully ping IP addresses on FGT VPN subnets
and the old office subnet.
But, when I try to ping from a PC on the new Juniper LAN subnet I cannot get to the VPN subnets.
 
Here is the output of my routing table on SRX240:
show route terse
inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A Destination P Prf Metric 1 Metric 2 Next hop AS path
* 0.0.0.0/0 S 5 >31.45.244.137
* 31.45.244.136/29 D 0 >ge-0/0/0.0
* 31.45.244.138/32 L 0 Local
* 172.16.3.0/24 D 0 >vlan.0
* 172.16.3.1/32 L 0 Local
* 192.168.0.0/16 S 5 >192.168.1.150
* 192.168.1.0/24 D 0 >ge-0/0/2.0
S 5 >192.168.1.150
* 192.168.1.153/32 L 0 Local
 
Here is the output of my interfaces configuration:
show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 31.45.244.138/29
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
10.0.0.6 --> 0/0
128.0.0.1 --> 128.0.1.16
128.0.0.6 --> 0/0
ge-0/0/1 up up
ge-0/0/1.0 up up eth-switch
ge-0/0/2 up up
ge-0/0/2.0 up up inet 192.168.1.153/24
ge-0/0/3 up down
ge-0/0/3.0 up down eth-switch
ge-0/0/4 up down
ge-0/0/4.0 up down eth-switch
ge-0/0/5 up down
ge-0/0/5.0 up down eth-switch
ge-0/0/6 up down
ge-0/0/6.0 up down eth-switch
ge-0/0/7 up down
ge-0/0/7.0 up down eth-switch
ge-0/0/8 up down
ge-0/0/8.0 up down eth-switch
ge-0/0/9 up down
ge-0/0/9.0 up down eth-switch
ge-0/0/10 up down
ge-0/0/10.0 up down eth-switch
ge-0/0/11 up down
ge-0/0/11.0 up down eth-switch
ge-0/0/12 up down
ge-0/0/12.0 up down eth-switch
ge-0/0/13 up down
ge-0/0/13.0 up down eth-switch
ge-0/0/14 up down
ge-0/0/14.0 up down eth-switch
ge-0/0/15 up down
ge-0/0/15.0 up down eth-switch
fxp2 up up
fxp2.0 up up tnp 0x1
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up up
vlan.0 up up inet 172.16.3.1/24
 
 
What am I missing?
0
Comment
Question by:proteus-IV
  • 5
  • 2
8 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 38761076
The SRX is a firewall, are you allowing the traffic through?
0
 

Author Comment

by:proteus-IV
ID: 38761930
Yes, a Juniper support enginneer connected to it and checked the config.
He told me that everything is setup correctly and that FGT200B is blocking
traffic towards VPN subnets.
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 500 total points
ID: 38761981
Your FG needs to have a static route for 172.16.3.0/24 with next hop 192.168.1.153.

The FG also, of course, needs to allow that traffic.
0
 

Assisted Solution

by:proteus-IV
proteus-IV earned 0 total points
ID: 38794497
I had to add static routes and FW policies on all remote FGT units.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:proteus-IV
ID: 38794642
I've requested that this question be closed as follows:

Accepted answer: 0 points for proteus-IV's comment #a38794497

for the following reason:

Other comments were not the solution.
0
 
LVL 18

Expert Comment

by:deimark
ID: 38794643
Does comment 38761981 not give the same result.

If it is then please award points
0
 

Accepted Solution

by:
proteus-IV earned 0 total points
ID: 38794895
I had already added the static route 172.16.3.0/24 with next hop 192.168.1.153 and FW policies to allow traffic on FGT200B, but I also had too add a static route on all remote FGT units behind IPSec VPN tunnels to allow traffic to 172.16.3.0/24 subnet and add FW policies.
0
 

Author Closing Comment

by:proteus-IV
ID: 38809172
Solutions provided were incomplete.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now