Screen OS

Hello All,

I have a question on the two vpn tunnels between the same site.

There is an existing tunnel between the sites and it is working fine.

Peer 1

======

tunnel.4 (VPN1 Zone)

outgoing interface - ethernet1/1 (Trust Zone)

Source Subnets to be encryped - 172.16.100.0 and 172.16.101.0

Destination subnets for this VPN - 172.16.95.0 and 172.16.93.0

Route to peer vpn subnets - tunnel.4

Peer 2

=====

Tunnel.1 (Trust Zone)

Outgoing Interface - ethernet0/0 (Untrust Zone)

Source Subnets to be encryped - 172.16.95.0 and 172.16.93.

Destination subnets for this VPN - 172.16.100.0 and 172.16.101.0

Default route - tunnel.1

Now I have to create a new  tunnel between the same sites for DR purposes. My question here will the Netscreen SSG allow me to create a new tunnel between the same sites when the source subnets are identical with the existing VPN tunnel. Peer 2 already has a default route pointing to tunnel.1 (includes the destination subnets for the new tunnel), how can I create route for the new tunnel. Both these tunnels will be sending traffic

Peer 1

======

Create a new tunnel interface - tunnel.5 (unnumbered interface)

Outgoing interface - ethernet1/1

Source Subnets to be encryped - 172.16.100.0 and 172.16.101.0 (same source subnets as existing tunnel)

Destination subnets for this VPN - 172.16.99.0

Route to peer vpn subnets - tunnel.5

Peer 2

=====

Tunnel.2 (Trust Zone)

Outgoing Interface - ethernet0/0 (Untrust Zone)

Source Subnets to be encryped - 172.16.99.0

Destination subnets for this VPN - 172.16.100.0 and 172.16.101.0 (same destination subnets as existing tunnel)

Route to destination vpn subnets - tunnel.5 (But default route already pointing to tunnel.1 for existing tunnel)

Your help will be greatly appreciated.

Thanks

Sidhanth

Hi Sidhanth,

I am not sure if this can be done because the proxy ids will clash.

Thanks.

Hardeep

Hello Sahota,

Thanks for the response. Will the proxy id's clash if below is configured. Proxy ID requires that the source, destination and service be the exact on both the firewalls. Here they are different. Please advice. Can you also let me know about the routing on peer 2. I already have a default route on peer 2 pointing to tunnel.1, now how can I route the 172.16.100.0 and 172.16.101.0 out of tunnel.5?

Peer 1

Peer 2

Hi Sidhanth,

The proxy ids can be configured manually and this will be helpful.
However, please note that in the example mentioned the proxy-ids seems to mismatch.

The routing will depend on whether you want both VPNs active at same time.
If yes then you can create 2 default routes and enable ICMP.

Else you can create another route will lower metric.

Thanks.
Hardeep

I believe the bigger limitation to consider is that the firewall can bind only one tunnel interface per gateway IP pair; The firewall does not support multiple Phase1's between the same public IP addresses.  In this case, between Peer1's eth1/1, and Peer2's eth0/0.

Do you have another public IP address available for either Peer1 or Peer2?

Hello Sam,

We dont have another public IP. We have to use the existing public IP Addresses.

Thanks

Sidhanth

Hello,

Is it possible to configure another public IP Address on the outside interface and assign that as the gateway IP Address? I read somewhere that you need to be able to configure all the addresses while setting up the outside interface.

Appreciate the responses again

Thanks

Sidhanth

Hi,

if you mean to add secondary IP address, then it is possible on interfaces in trust zone.
However, I am not sure if this can be used for the second VPN gateway because when doing IKE configuration, you can only set the source-interface but not the source-ip.

Thanks.
Hardeep

What may also be a possibility is to create a loopback interface with a public IP.  This can be a /32 address, and it's possible to select a loopback interface as an outgoing interface within the ike config.

for example.  if

peer1 has 2 IP addresses, 1.1.1.1 and 1.1.1.2 --

   eth0/0, zone untrust, 1.1.1.1/24

   loopback.1, zone untrust, 1.1.1.2/24

peer2 has ip 5.5.5.5/24

   eth0/0, zone untrust 5.5.5.5/24

There will be 2 phase1 ike configs:

  a) 1.1.1.1 Peer1's eth0/0 <--> 5.5.5.5  Peer2

  b) 1.1.1.2 Peer1's loopback <--> 5.5.5.5 Peer2

This should work.

Regards,

Sam

Hi Sam,

I use the same solution.

But there are three details that should be taken into account additionally. This is an example:

set vrouter trust-vr

set ignore-subnet-conflict    This allows address overlapping

exit

set interface loopback.1 zone "Untrust"

set interface loopback.1 ip 1.1.1.2/32

set interface ethernet0/0 proxy-arp-entry 1.1.1.2 1.1.1.2   This makes the looback interface arp-responsive

set interface tunnel.2 zone "Untrust"

set interface tunnel.2 ip unnumbered interface loopback.1

set policy  from "Untrust" to "Untrust"  "5.5.5.5" "Loopback.1-192.168.1.2" "IKE" permit  This rule is required, because Loopback.1-192.168.1.2 is an untrust object.

I have assumed that block intrazone traffic is on in the untrust zone, which is a default option for this zone and a recommended one for other zones.

Now you have an alternative VPN termination point.