• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1383
  • Last Modified:

Routing from Juniper LAN subnet to Fortigate 200B IPSec VPN subnets

I have a Fortigate200B in place which is used for IPSec VPN towards 50 locations.
Recently, I have set up a Juniper SRX240 with a new subnet, to be used for the office network.
I configured one interface on SRX240 with 192.168.1.153/24 and connected it to a switch interface
on FGT200B which uses 192.168.1.150/24.
The idea is to set up routing from the Juniper LAN subnet to different subnets behind FGT VPN.
 
I have setup the subnet 172.16.3.0/24 on Juniper LAN, Fortigate uses 192.168.0.0/16 for VPN subnets.
The old office LAN subnet on FGT200B is 192.168.1.0/24.
I created static routes for routing between subnets and firewall zones/policies.
 
When I go to Troubleshoot/Ping Host in J-Web config I can succesfully ping IP addresses on FGT VPN subnets
and the old office subnet.
But, when I try to ping from a PC on the new Juniper LAN subnet I cannot get to the VPN subnets.
 
Here is the output of my routing table on SRX240:
show route terse
inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A Destination P Prf Metric 1 Metric 2 Next hop AS path
* 0.0.0.0/0 S 5 >31.45.244.137
* 31.45.244.136/29 D 0 >ge-0/0/0.0
* 31.45.244.138/32 L 0 Local
* 172.16.3.0/24 D 0 >vlan.0
* 172.16.3.1/32 L 0 Local
* 192.168.0.0/16 S 5 >192.168.1.150
* 192.168.1.0/24 D 0 >ge-0/0/2.0
S 5 >192.168.1.150
* 192.168.1.153/32 L 0 Local
 
Here is the output of my interfaces configuration:
show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 31.45.244.138/29
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
10.0.0.6 --> 0/0
128.0.0.1 --> 128.0.1.16
128.0.0.6 --> 0/0
ge-0/0/1 up up
ge-0/0/1.0 up up eth-switch
ge-0/0/2 up up
ge-0/0/2.0 up up inet 192.168.1.153/24
ge-0/0/3 up down
ge-0/0/3.0 up down eth-switch
ge-0/0/4 up down
ge-0/0/4.0 up down eth-switch
ge-0/0/5 up down
ge-0/0/5.0 up down eth-switch
ge-0/0/6 up down
ge-0/0/6.0 up down eth-switch
ge-0/0/7 up down
ge-0/0/7.0 up down eth-switch
ge-0/0/8 up down
ge-0/0/8.0 up down eth-switch
ge-0/0/9 up down
ge-0/0/9.0 up down eth-switch
ge-0/0/10 up down
ge-0/0/10.0 up down eth-switch
ge-0/0/11 up down
ge-0/0/11.0 up down eth-switch
ge-0/0/12 up down
ge-0/0/12.0 up down eth-switch
ge-0/0/13 up down
ge-0/0/13.0 up down eth-switch
ge-0/0/14 up down
ge-0/0/14.0 up down eth-switch
ge-0/0/15 up down
ge-0/0/15.0 up down eth-switch
fxp2 up up
fxp2.0 up up tnp 0x1
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up up
vlan.0 up up inet 172.16.3.1/24
 
 
What am I missing?
0
proteus-IV
Asked:
proteus-IV
  • 5
  • 2
3 Solutions
 
deimarkCommented:
The SRX is a firewall, are you allowing the traffic through?
0
 
proteus-IVAuthor Commented:
Yes, a Juniper support enginneer connected to it and checked the config.
He told me that everything is setup correctly and that FGT200B is blocking
traffic towards VPN subnets.
0
 
pergrCommented:
Your FG needs to have a static route for 172.16.3.0/24 with next hop 192.168.1.153.

The FG also, of course, needs to allow that traffic.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
proteus-IVAuthor Commented:
I had to add static routes and FW policies on all remote FGT units.
0
 
proteus-IVAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for proteus-IV's comment #a38794497

for the following reason:

Other comments were not the solution.
0
 
deimarkCommented:
Does comment 38761981 not give the same result.

If it is then please award points
0
 
proteus-IVAuthor Commented:
I had already added the static route 172.16.3.0/24 with next hop 192.168.1.153 and FW policies to allow traffic on FGT200B, but I also had too add a static route on all remote FGT units behind IPSec VPN tunnels to allow traffic to 172.16.3.0/24 subnet and add FW policies.
0
 
proteus-IVAuthor Commented:
Solutions provided were incomplete.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now