Screen OS

Hi,

My job is to build  IPsec VPN tunnel between R1 and R3.

The tricky here is : The customer  does not want to accept a lot of networks. He only accept network from 172.16.4.0/24

So the solution here is : My boss wants me to NAT 172.16.2.0/24 and 172.16.3.0/24 to 172.16.4.0/24

I lab up in Cisco IOS and it work fine. I lab up in Juniper screen OS trying to use DIP, but i can not make it work.

Please help

Note:

R1 and R3 are : Juniper SSG5

Can not summary  172.16.2.0/24 and 172.16.3.0/24 to  172.16.2.0/23 because in real life LAN 2 is : 10.0.0.0/24 and LAN3 is 192.168.10.0/24. We have to use NAT.

This case is very urgent to me so i appriciate any ideas.

Loc

You need to configure this as a route based VPN and put the DIP on the tunnel interface.  You would then need to specify src nat in the policy.

Great!,

Thank you rseibert!

Loc N

Hi,

I agree with you that route based VPN will work. 

But i am trying to understand why policy based VPN does not work. Could you help to explain?

Thank you

Loc N 

In order to use a DIP these are associated with the egress interface of the traffic you are manipulating.  with a Policy based VPN there is no virtual interface to put the DIP onto.  Only the route based VPN have the tunnel interface that can have the DIP and therefore the associated NAT rules.

Thank you Spuluka,

Your explaination is great! it cleared my confustion.

Loc