Routing from Juniper LAN subnet to Fortigate 200B IPSec VPN subnets

I have a Fortigate200B in place which is used for IPSec VPN towards 50 locations.
Recently, I have set up a Juniper SRX240 with a new subnet, to be used for the office network.
I configured one interface on SRX240 with 192.168.1.153/24 and connected it to a switch interface
on FGT200B which uses 192.168.1.150/24.
The idea is to set up routing from the Juniper LAN subnet to different subnets behind FGT VPN.
 
I have setup the subnet 172.16.3.0/24 on Juniper LAN, Fortigate uses 192.168.0.0/16 for VPN subnets.
The old office LAN subnet on FGT200B is 192.168.1.0/24.
I created static routes for routing between subnets and firewall zones/policies.
 
When I go to Troubleshoot/Ping Host in J-Web config I can succesfully ping IP addresses on FGT VPN subnets
and the old office subnet.
But, when I try to ping from a PC on the new Juniper LAN subnet I cannot get to the VPN subnets.
 
Here is the output of my routing table on SRX240:
show route terse
inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A Destination P Prf Metric 1 Metric 2 Next hop AS path
* 0.0.0.0/0 S 5 >31.45.244.137
* 31.45.244.136/29 D 0 >ge-0/0/0.0
* 31.45.244.138/32 L 0 Local
* 172.16.3.0/24 D 0 >vlan.0
* 172.16.3.1/32 L 0 Local
* 192.168.0.0/16 S 5 >192.168.1.150
* 192.168.1.0/24 D 0 >ge-0/0/2.0
S 5 >192.168.1.150
* 192.168.1.153/32 L 0 Local
 
Here is the output of my interfaces configuration:
show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 31.45.244.138/29
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
10.0.0.6 --> 0/0
128.0.0.1 --> 128.0.1.16
128.0.0.6 --> 0/0
ge-0/0/1 up up
ge-0/0/1.0 up up eth-switch
ge-0/0/2 up up
ge-0/0/2.0 up up inet 192.168.1.153/24
ge-0/0/3 up down
ge-0/0/3.0 up down eth-switch
ge-0/0/4 up down
ge-0/0/4.0 up down eth-switch
ge-0/0/5 up down
ge-0/0/5.0 up down eth-switch
ge-0/0/6 up down
ge-0/0/6.0 up down eth-switch
ge-0/0/7 up down
ge-0/0/7.0 up down eth-switch
ge-0/0/8 up down
ge-0/0/8.0 up down eth-switch
ge-0/0/9 up down
ge-0/0/9.0 up down eth-switch
ge-0/0/10 up down
ge-0/0/10.0 up down eth-switch
ge-0/0/11 up down
ge-0/0/11.0 up down eth-switch
ge-0/0/12 up down
ge-0/0/12.0 up down eth-switch
ge-0/0/13 up down
ge-0/0/13.0 up down eth-switch
ge-0/0/14 up down
ge-0/0/14.0 up down eth-switch
ge-0/0/15 up down
ge-0/0/15.0 up down eth-switch
fxp2 up up
fxp2.0 up up tnp 0x1
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up up
vlan.0 up up inet 172.16.3.1/24
 
 
What am I missing?
proteus-IVAsked:
Who is Participating?
 
proteus-IVConnect With a Mentor Author Commented:
I had already added the static route 172.16.3.0/24 with next hop 192.168.1.153 and FW policies to allow traffic on FGT200B, but I also had too add a static route on all remote FGT units behind IPSec VPN tunnels to allow traffic to 172.16.3.0/24 subnet and add FW policies.
0
 
deimarkCommented:
The SRX is a firewall, are you allowing the traffic through?
0
 
proteus-IVAuthor Commented:
Yes, a Juniper support enginneer connected to it and checked the config.
He told me that everything is setup correctly and that FGT200B is blocking
traffic towards VPN subnets.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
pergrConnect With a Mentor Commented:
Your FG needs to have a static route for 172.16.3.0/24 with next hop 192.168.1.153.

The FG also, of course, needs to allow that traffic.
0
 
proteus-IVConnect With a Mentor Author Commented:
I had to add static routes and FW policies on all remote FGT units.
0
 
proteus-IVAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for proteus-IV's comment #a38794497

for the following reason:

Other comments were not the solution.
0
 
deimarkCommented:
Does comment 38761981 not give the same result.

If it is then please award points
0
 
proteus-IVAuthor Commented:
Solutions provided were incomplete.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.