SRX Services Gateway
Reply
Visitor
Buyagift
Posts: 6
Registered: ‎02-16-2011
0

SRX210 Site to Site VPN connection

Dear Members,

 

someone has already setup the VPN connection between head office(London) and one remote office(Spain) and its working fine.I need to setup the another connection for another remote office in Italy...Please help me what should i do..I am not sure they have configured the head office as multipoint or not ...hw can i check

 

should i copy the configuration from spain remote office into itlay router configuration...??

 

Any suggestions ?

Super Contributor
colemtb
Posts: 313
Registered: ‎09-30-2009
0

Re: SRX210 Site to Site VPN connection

You would need to be on the head-end. 

 

If it's a multipoint st interface then it would obviously be set that way on the st interface, conversely you could run "show security ipsec next-hop-tunnels" and check for output results.

 

If it's multipoint you will need to add routes to the head-end, well actually you are going to need to add routes anyways, and of course gateways / vpns stanzas under ike / ipsec.

 

On the remote side, you could probably use Spain as an example, E.G. same platform you could use same external interface in ike as gateway if it's you untrust / same address for IKE peer since it's the same headend / your external IP for local identity etc...  You could also get away with using same proposal and policy on headends for ike and ipsec so you could once again use Spain to get this information...

 

With respect to IPSEC stanza it's nothing totally pinned down to a site unless you were using differnt destination IPs in VPN monitor or something...

 

If running VPN monitor on the headend / core, you would want the destination IP to be that of the remote secure tunnel. 

 

Also, run optimized...  :smileywink:

 

Basically you need access to both. 

Visitor
Buyagift
Posts: 6
Registered: ‎02-16-2011
0

Re: SRX210 Site to Site VPN connection

Hi,

 

Thanks for your suggestons.Headoffice was not setup as multipoint.It was site to site VPN connection.So I made another site to site connection with different interface st0.1 on remote site and headed with all new name propasal and IKE settings.

 

So its wokring fine...I can access each other machines via RDP......

 

I am just wondering hw many site-site connection i can have ?

Is it the right approach ?

Should we confgure multipoint on the headoffice ?

 

Because in future we can have more remote sites ?

 

what is your suggestion ?

Visitor
Buyagift
Posts: 6
Registered: ‎02-16-2011
0

Re: SRX210 Site to Site VPN connection

Dear Colemtb,

 

I am back after a long time.Thanks for all your suggestions which you gave during my last post.I have now one more issue.Basically we have one SRX210 in London and three in Spain ,France and Italy respectivly.So basically three tunnels connection to the head office juniper (London).Now we have got our company intranet Page.So this intranet page works fine in Spain and France but not in itlay.Though all the three sites have VPN connection to the London(Head Office).I can ping the machines as well in Italy and from italy to uk.The VPN connection is UP as well for Italy.Just the intranet page does not display any thing in ITALY.

 

Please Help mei n this matter...I spent a lot of time but coul not sort it out..All the three sites have almost same configuratrion.If you need any more info will be happy to share

Regular Visitor
wongsta
Posts: 5
Registered: ‎10-27-2008
0

Re: SRX210 Site to Site VPN connection

Buyagift,

 

It's not practical to help troubleshoot an issue without the config of the devices. If you can sanitize part of your config and post it more people are willing to help. From just what you have stated before, it could be a firewall or security policy issue. But there is no way to be sure.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.