Screen OS

Hi Support,

 

I want to create a site to site vpn with Netscreen firewall,

My issue is that the remote site don't send me a network, but only 2 ip of servers.

How can i use the 2 IP of their servers on my Netscreen on tab Proxy ID?

 

You help will be appreciated

Multiple proxy id requires that you have ScreenOS 6.3 on the device.  Otherwise the previous versions only support a single proxy id pair.

Hi Spuluka, my screen os is: Software Version: 5.4.0r15.0, I need to upgrade my ScreenOs to version 6. With, version 6, i can put two IP address of my peer servers? regards

You would need to upgrade all the way to ScreenOS version 6.3.  This is the first version to allow multiple proxy id.  The early versions 6.0, 6.1 &  6.2 do not have the feature.

Thanks Spuluka

As an alternative you can configure a phase 2 for each of the two servers over the same phase I. You won't need 6.3 for this.

Hi All,

 

How can i create vpn with multiple Proxy id ?

 

my screen os is version 6.2

 

regards

If you stick with ScreenOS 6.2, you'll have to either create a separate VPN definition for each proxy-ID pair as Screenie says above, or you could use policy-based tunneling to do effectively the same thing.

 

For example, if you have the network 192.168.1.0/24 on your side, and the hosts 10.0.1.1 and 10.0.2.2 on the remote side, you would either create two VPN definitions (one between 192.168.1.0/24 to 10.0.1.1/32, another between 192.168.1.0/24 and 10.0.2.2/32), or you could create one VPN definition (with no proxy-IDs) and use VPN policies to generate the proxy-IDs (one policy to 10.0.1.1, another to 10.0.2.2, both using the same VPN definiton in the 'tunnel' section).

 

Upgrading to ScreenOS 6.3 makes it easier to use route-based tunneling with multiple proxy-IDs as you can just add multiple proxy-ID pairs to the one VPN definition.

Thanks a lot Spud,

regarding your example, can i use policy-based vpn.

 

in my side: 192.168.1.0/24 and 192.168.2.0/24 ( i have two networks)

 

remote site: 10.0.1.1 and 10.0.2.2

 

can i create a group on trust zone and put 192.168.1.0/24 and 192.168.2.0/24 in that group

create another group in Untrust zone and put 10.0.1.1 and 10.0.2.2 in that group too

 

so, create a policy-based vpn using the both groups created above?

 

Thanks in advance

Nope, don't use groups - when you put a group into a VPN policy on a ScreenOS device, it can cause it to try to use 0.0.0.0/0 as the proxy-ID for the group. Unless the other end is also a ScreenOS device, this probably won't work.

 

Unfortunately, to get the correct proxy-ID pairs, you'll probably need to create 4 separate policies:

192.168.1.0/24 to 10.0.1.1

192.168.1.0/24 to 10.0.2.2

192.168.2.0/24 to 10.0.1.1

192.168.2.0/24 to 10.0.2.2

(Tick the 'modify matching bidirectional VPN policy' box if you need access in the opposite direction too)

Thanks, i tried to use a group in a tunnel policy, it refused (gave an error message)

 

To create 4 separate policies, i need first create another phase 2 and use the same phase 1 gateway?

 

Phase 1 : SITE-VPN

 

Phase 2 (first) TO-REMOTE (using phase 1 SITE-VPN)

 

Phase 2 (second) TO-REMOTE2 (using phase 1 SITE-VPN)

 

Is this Right?

 

 

Thanks

 

That means, i will create separate phase 2 for the same phase 1 ?

 

Phase 1: SITE-VPN

 

phase 2 (first): TO-REMOTE (using phase 1 SITE-VPN)

 

Phase 2 (second) TO-REMOTE (using phase 1 SITE-VPN)

 

This is Right?

No, if you're using VPN policies, you can just use the same VPN (phase 2) for each policy. The firewall will then automatically create a new phase 2 SA pair for each policy based on the address objects used.

 

You only need separate phase 2 definitions if you want to use route-based tunneling instead. In your case (two networks inside, two hosts outside) you would actually need FOUR separate phase 2 configs, so in this case it's actually neater to use policy-based tunneling (or upgrade to ScreenOS 6.3).