Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Access multiple zones over VPN

    Posted 07-08-2013 23:53

    Hi I am new to the forum so please excuse the mistakes. 🙂

     

    My setup looks looks like this :

     

                                                                                                                                                     |  DMZ   (192.168.10.0)

      (192.168.1.0/24) Trust-A  |             | Untrust-A ===== VPN (Internet) ====== untrust-B |    |  Trust  B (192.168.20.0)

                                                                                                                                                     |  New - Trust  ( 192.168.21.0)

     

    I Have a GTA Firewall at site A, Soon te be replace by an SSG 140 and a SSG 140 at site B

     

    I currently Have a route based VPN Up between Trust A and Trust B.

     

    I can ping 192.168.20.1 from trust A (192.168.1.0) , Is it possible to access servers on New Trust (192.168.21.0) Via the VPN?

     

    I have been struggling for hours, Hope one of you can help me out. Or point me in the right direction.

     

    Thanks


    #vpn


  • 2.  RE: Access multiple zones over VPN

     
    Posted 07-09-2013 02:09

    Hi,

     

    Welcome to the forum..

     

    Yes, it is possible, but you will need to perform some configuration tweaks.

     

    1. You need a route on A Firewall for 192.168.21.0, pointing to the same tunnel as 192.168.20.0

    2. If the VPN configuration has proxy-IDs configured, it will be a good idea to remove them

    3. Depending on which zones you have bound the tunnel interfaces to, you may need additional policies to prmit traffic flow

     

    There may be some other changes needed. It will be of help if you can share your current configuration. You can remove confidential info, like public IP addresses before sharing your configuration here...



  • 3.  RE: Access multiple zones over VPN

    Posted 07-09-2013 04:36

    Hi

     

    Thanks for the reply.

     

    Site A :

     

    unset key protection enable
set clock dst-off
set clock ntp
set clock timezone 2
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/8" zone "DMZ"
set interface "ethernet0/9" zone "Trust"
set interface "tunnel.1" zone "Trust"
set interface "tunnel.2" zone "Trust"
set interface "tunnel.3" zone "Trust"
set interface "tunnel.4" zone "Trust"
set interface ethernet0/0 ip 192.168.111.254/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.3.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 1.1.1.1/28
set interface ethernet0/2 route
set interface ethernet0/8 ip 192.168.2.1/24
set interface ethernet0/8 route
set interface ethernet0/9 ip 192.168.1.254/24
set interface ethernet0/9 nat
set interface tunnel.1 ip unnumbered interface ethernet0/9
set interface tunnel.2 ip unnumbered interface ethernet0/9
set interface tunnel.3 ip unnumbered interface ethernet0/0
set interface tunnel.4 ip unnumbered interface ethernet0/0
set interface ethernet0/2 gateway 2.2.2.2
set interface ethernet0/0 proxy dns
set interface ethernet0/9 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain ****
set hostname Site_A
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Trust" "Protected Network" 192.168.1.0 255.255.255.0 "Protected Network"
set address "Untrust" "SITE_B" 192.168.10.0 255.255.255.0 "SITE_B"
exit
set ike gateway "Gateway for SITE_B" address 2.2.2.2 Main outgoing-interface "ethernet0/2" preshare "0loCw1AbNlvnEfs0JOC1n3GEu7naDi4Rfg==" sec-level standard
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN for SITE_B" gateway "Gateway for SITE_B" replay tunnel idletime 0 sec-level standard
set vpn "VPN for SITE_B" monitor
set vpn "VPN for SITE_B" id 0x5 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set policy id 12 from "Untrust" to "Trust"  "SITE_B" "Protected Network" "ANY" permit log count 
set policy id 12
exit
set policy id 11 from "Trust" to "Untrust"  "Protected Network" "SITE_B" "ANY" permit log count 
set policy id 11
exit
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.30.0/24 interface tunnel.1
set route 192.168.21.0/24 interface tunnel.1
set route 192.168.10.0/24 interface tunnel.1
set route 192.168.7.0/24 interface tunnel.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

     

     

    Site B :

     

    unset key protection enable
set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "DMZ-MAIL"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "DMZ-MAIL" tcp-rst 
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "DMZ-MAIL"
set interface "ethernet0/4" zone "HA"
set interface "ethernet0/9" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Untrust"
set interface ethernet0/0 ip 192.168.15.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.11.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip "2.2.2.2"/27
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.168.12.1/24
set interface ethernet0/3 route
set interface ethernet0/9 ip 192.168.10.1/24
set interface ethernet0/9 nat
set interface tunnel.1 ip unnumbered interface ethernet0/9
set interface tunnel.2 ip unnumbered interface ethernet0/9
set interface tunnel.3 ip unnumbered interface ethernet0/9
set interface ethernet0/2 gateway 1.2.3.4
set interface ethernet0/0 proxy dns
set interface ethernet0/1 proxy dns
set interface ethernet0/3 proxy dns
set interface ethernet0/9 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain ecp.com
set hostname SITE B
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set dns host dns3 0.0.0.0
set dns proxy
set dns proxy enable
set address "Trust" "192.168.10.0/24" 192.168.10.0 255.255.255.0
set address "Trust" "Protected_Network" 192.168.10.0 255.255.255.0
set address "Untrust" "192.168.1.0/32" 192.168.1.0 255.255.255.255
set address "Untrust" "192.168.30.0/24" 192.168.30.0 255.255.255.0
set address "Untrust" "192.168.31.0/24" 192.168.31.0 255.255.255.0
set crypto-policy
exit
set ike gateway "Gateway for 192.168.1.0/32" address 1.1.1.1 Main outgoing-interface "ethernet0/2" preshare "NO+mGkCdNpp6GRs2UpC5S/Gad8nNzu4fOw==" sec-level standard
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN for 192.168.1.0/32" gateway "Gateway for 192.168.1.0/32" replay tunnel idletime 0 sec-level standard
set vpn "VPN for 192.168.1.0/32" id 0x8 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 56 from "Untrust" to "Trust"  "192.168.1.0/32" "Protected_Network" "ANY" permit log count 
set policy id 56
exit
set policy id 55 from "Trust" to "Untrust"  "Protected_Network" "192.168.1.0/32" "ANY" permit log count 
set policy id 55
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.20.0/24 interface tunnel.1
set route 172.28.0.0/24 interface tunnel.2
set route 192.168.30.0/24 interface tunnel.3
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

     

    As it is, From site A's Protected network  ( 192.168.1.0/24 ) I can access any server in Site B's Protected Network ( 192.168.10.0/24). Im attempting to access servers in the (192.168.15.0/24) trusted zone from Site A.

     

    Thanks in advance.

     

     

     



  • 4.  RE: Access multiple zones over VPN
    Best Answer

     
    Posted 07-12-2013 02:39

    Hi,

     

    Looking at the config, For Site A:

     

    - Tunnel.1 is already in Trust zone. e0/9 is in Trust as well. So, I don't think the policies that you have are being used.

    - With this configuration, it would suffice to add another route:

      set route 192.168.15.0/24 interface tunnel.1

     

    I have my doubts about Site-B configuration:

     

    - There is no route for 192.168.1.0/24 pointing to tunnel.1 (set route 192.168.1.0/24 interface tunnel.1)

    - The address object --> set address "Untrust" "192.168.1.0/32" 192.168.1.0 255.255.255.255 . This should ideally be 192.168.1.0 255.255.255.0

     

    That said, for adding 192.168.15.0/24 network to the VPN domain, you will just need 2 more policies @ Site-B - similar to policies 55 and 56. Just replace the 192.168.10.0/24 subnet with 192.168.15.0/24 subnet.



  • 5.  RE: Access multiple zones over VPN

    Posted 07-15-2013 00:44

    Thanks Gokul

     

    It worked.

     

    On a side note, Is it possible with Policy-based VPN as well?

     

    Regards



  • 6.  RE: Access multiple zones over VPN

     
    Posted 07-15-2013 01:04

    You are welcome 🙂

     

    Yes, you can go for a policy based VPN as well...

    Personally, I prefer route based VPNs, so that traffic can be controlled via simple policies, while routing takes care of the tunneling...