HI Team,
i'm new with ipsec, trying to setup a IPSEC vpn between fortinet and SRX but it is not working . i have captured the packet and found that SRX is not initiating ike communication. configuration and topo is as below. phase 1 is no comming up. Please help
set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system services web-management http interface ge-0/0/1.0
set system services web-management https pki-local-certificate 12345
set system services web-management https interface ge-0/0/1.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description TO_FORTINET
set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
set interfaces ge-0/0/2 description TO_R4
set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
set security ike traceoptions file IKE
set security ike traceoptions file size 10k
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
set security ike proposal AES256-SHA256-DH2 dh-group group2
set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
set security ike policy ike01-DUB-Three mode aggressive
set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
set security ike gateway ike01-DUB-Three address 192.168.86.4
set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
set security ike gateway ike01-DUB-Three version v2-only
set security ipsec proposal AES256-SHA256-PFS protocol esp
set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
set security ipsec policy ipsec01-DUB-Three perfect-forward-secrecy keys group2
set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
set security ipsec vpn vpn01-DUB-Three df-bit clear
set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
config vpn ipsec phase1-interface
edit "ike01-DUB-Three"
set interface "port2"
set ike-version 2
set local-gw 192.168.86.4
set keylife 28800
set peertype any
set net-device disable
set proposal des-md5 des-sha256
set comments "ike01-DUB-Three"
set dhgrp 2
set remote-gw 192.168.86.3
set psksecret ENC aGBmGGUZbROTSqjPLFzg6E5DGdFjhYuySFrv99s0NsQ3cJvYzW9sjkEANCZ22HyyNTLY+qnDMWxuE6xPKKu8FAnCO11UggEOQWKSH4gfZIl8jEl8u/dZ1Xc/ChSPaGXT7Ch/mFpQwkoR/HX/2CpOc8IDiQ806LhcyQ4edqlLrzTm+A+G/02qHXipb+bYiUUwA7uhpg==
next
end
FORTINET # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "ike01-DUB-Three"
set phase1name "ike01-DUB-Three"
set proposal des-md5 des-sha1
set pfs disable
set comments "ike01-DUB-Three"
set src-addr-type ip
set dst-addr-type ip
set keylifeseconds 3600
set src-start-ip 1.1.1.1
set dst-start-ip 2.2.2.2
next
end