Here comes the step-by-step guide for building a site-to-site VPN between a FortiGate and a ScreenOS firewall. Not much to say. I am publishing several screenshots and CLI listings of both firewalls, along with an overview of my laboratory.
The devices tested are a Juniper SSG 5 (6.3.0r18.0) and a FortiWiFi 90D (v5.2.2).
Lab
The following figure shows the lab I used for this test:
FortiGate
The FortiGate firewall is configured in the following way. See the image descriptions for more details.
Juniper SSG
Similar for the ScreenOS device.
Monitoring
If everything is configured correctly, the following menus should reveal the established VPN tunnel:
Alternatively, the CLI can be used:
FortiGate:
fd-wv-fw04 # get vpn ike gateway fd-wv-fw01
vd: root/0
name: fd-wv-fw01
version: 1
interface: wan1 6
addr: 172.16.1.6:500 -> 172.16.1.1:500
created: 1886922s ago
IKE SA created: 1/68 established: 1/68 time: 140/244/6150 ms
IPsec SA created: 1/529 established: 1/529 time: 110/122/440 ms
id/spi: 20197 a6a2bf730478549d/e93ba6ca5b3a76ec
direction: initiator
status: established 5906-5906s ago = 160ms
proposal: aes-256-sha256
key: a3ec5594ba99c237-d02094bfbcd1c68f-b25a658df5746916-e0f5a096a9b9369c
lifetime/rekey: 28800/22593
DPD sent/recv: 00066514/0117eef0
fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-fw01
gateway
name: 'fd-wv-fw01'
type: route-based
local-gateway: 172.16.1.6:0 (static)
remote-gateway: 172.16.1.1:0 (static)
mode: ike-v1
interface: 'wan1' (6)
rx packets: 323771 bytes: 8332412 errors: 0
tx packets: 323773 bytes: 8298620 errors: 0
dpd: enabled/negotiated idle: 5000ms retry: 3 count: 0
selectors
name: 'blubb'
auto-negotiate: disable
mode: tunnel
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA
lifetime/rekey: 3600/611
mtu: 1438
tx-esp-seq: 129
replay: enabled
inbound
spi: c97b0cfd
enc: aes 362214859c31f1645aef153ffcf13be2749f67053a3b9f13eb6db9970b6ae9d8
auth: sha256 8be7f22b93143a38fe83514f535a6d2eeefabe62275dafc5311f3cff78b0037b
outbound
spi: f41f6f7d
enc: aes f3987da624db8f11b31ac0a80bd1e0d3de1c05e81865b6bf312e64c51716901b
auth: sha256 fce036c0b772216a34ef068cea7f29c31c5778b1b546131b31394775b91ebae4
NPU acceleration: encryption(outbound) decryption(inbound)
SSG:
fd-wv-fw01-> get ike cookies IKEv1 SA -- Active: 10, Dead: 0, Total 10 80102f/0003, 172.16.1.6:500->172.16.1.1:500, PRESHR/grp14/AES256/SHA2-256, xchg(5) (fd-wv-fw04/grp-1/usr-1) resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 23327 cert-expire 0 responder, err cnt 0, send dir 1, cond 0x0 nat-traversal map not available ike heartbeat : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0 XAUTH status: 0 DPD seq local 18345669, peer 419049 fd-wv-fw01-> fd-wv-fw01-> fd-wv-fw01-> get sa id 0x0000000e index 7, name fd-wv-fw04, peer gateway ip 172.16.1.6. vsys auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 14, peer id 7, NSRP Local. site-to-site. Local interface is ethernet0/6 <172.16.1.1>. esp, group 14, a256 encryption, s256 authentication autokey, IN active, OUT active monitor<1>, latency: 1, availability: 100 DF bit: clear app_sa_flags: 0x24001a7 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0/0 ike activity timestamp: 1882685177 DSCP-mark : disabled nat-traversal map not available incoming: SPI f41f6f87, flag 00004000, tunnel info 4000000e, pipeline life 3600 sec, 2869 remain, 0 kb, 0 bytes remain anti-replay on, last 0x49, window 0xffffffff, idle timeout value <0>, idled 6 seconds next pak sequence number: 0x0 bytes/paks:8280316/188189; sw bytes/paks:8280316/188189 outgoing: SPI c97b0d00, flag 00000000, tunnel info 4000000e, pipeline life 3600 sec, 2869 remain, 0 kb, 0 bytes remain anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 6 seconds next pak sequence number: 0x49 bytes/paks:8303592/188718; sw bytes/paks:8303592/188718
Good luck! 