Screen OS

Hi all,

I am new to this forum so excuse me if I make some type errors.

Before asking the question some information on what to achieve.

There are multiple locations, Location A and Location B. Also there are more than two locations.

Location A has a SSG 5

Location B had a SSG 140

The SSG 5 has three network connections

- Untrust (Public IP)

- Trust (Local network) (192.168.20.x)

- DMZ (Private network that connects all locations with each other)

The SSG 140 has four network connections

- Untrust (Public IP)

- Trust (Local network) (192.168.30.x)

- DMZ1 (Private network that connects all locations with each other

- DMZ2 (Network with some servers)

All locations are in the 192.168.0.0/16

So the situation works fine.

If a computer in location A with the SSG 5 wants to go to a computer in Location B it goes out via the DMZ

At location B the packets are entering via DMZ1 and it all works perfect.

Now the rather difficult part, a little bit hard to explain but I'll try

I need to make a VPN that does exactly the same as DMZ on SSG5 and DMZ1 on the SSG140.

Simply said, both connections (DMZ and the VPN via Untrust over Internet) have to be active and traffic have to be separated. High priority traffic always have to go via the DMZ (Like Citrix and DHCP), less priority traffic must go via the new created VPN.

It also has to failover if a connection fails.

- if internet fails, the VPN fails so traffic always has to go via the DMZ from Location A to another.

The first configuration I tried was by adding an numbered interface at both endpoints and created the VPN, somehow, not exactly sure why it didn't work out that way and all packets via the VPN over internet had a AGE OUT.

The VPN interfaces I created were all in the custom created VPN zone.

Since it did't work out i tried another way.

I deleted the VPN zone and the interfaces. Next thing I did was binding the new created vpn on the untrust interface.

Without a tunnel interface and binding it to the untrust interface it began to work.

I created a birectional policy and added destination hosts that were not allowed using that connection.

The destination routing sais this:

192.168.0.0/16 prio 30 to DMZ

192.168.20.0/24 prio 20 to (GLOBAL IP SSG 140)

This works and both lines are active.

The problem:

Since the tunnel is not over an interface but binded to the untrust interface the Juniper never knows when to deactivate the destination route to the (GLOBAL IP SSG 140).

If this was a tunnel.1 than the routing tables would look different and the SSG can deactivate that destination. Because the routing table would look like this.

192.168.20.0/24 prio 20 to tunnel.1

Is there any way separate traffic between DMZ and a tunnel.1 interface and keep both interfaces active?

The routing never failsover the way I implemented this situation.

The routing destinations on the VPN over internet must be deactivated the moment the line goes down.

Thanks in advance!

Hi,

You see AGE OUT messages because of assymetric routing. The requests are coming from the tunnel but responces are sent through the DMZ. I would recommend to configure a route based VPN  with source NAT on both tunnel interfaces.  If a packet is send to the remote site through VPN, it gets a new source IP and the responce will be sent back to the VPN. If VPN fails, the packet takes the "privileged way" through DMZ and is not NATted. I'am assuming that you have already found a method to distribute traffic between VPN and DMZ.

Kind regards,

Edouard

Hi,

Thanks for the reply Edouard.

That calls for two other question (at the end of this message).

"I'am assuming that you have already found a method to distribute traffic between VPN and DMZ."

Yes, but how I am doing it is (problably) not correct.

The route via the DMZ goes by 192.168.0.0/16 with priority 30, the VPN over internet has 192.168.20.0/24 with priority 20

-The policy for accessing the DMZ has a permit ANY.

-The policy for accessing the VPN has a permit "Negate the following" with all high priority servers on the other location.

Everything is allowed via the VPN except the high priority destinations

All high priority servers are in the destination route table and always choose the DMZ.

Traffic with a high priority destination is not allowed via the VPN over internet.

Questions:

1. The Tunnel interfaces at both endpoints get an IP address?

2. Both virtual tunnel interfaces will have a policy with src nat enabled?

Kind regards,

Rik

Hi Rik,

That's fine! If You can correctly distribute traffic among two communication ways, the only problem (hopefully) is the return way. If NAT is applied to the VPN traffic, the tunnel interface, where NAT takes place, must be addressed. Let's assume that the tunnel interface at A-site has the IP 10.1.1.1/24. If it is not required to distinguish any separate host communicating through VPN, all the connections can be source-NATted to 10.1.1.1.1 ("use interface"-option in the access policy). Otherwies a DIP pool should be used in the policy (f.i 10.1.1.2-10.1.1.254).

The FW on B-site has to have a route through it's tunel interface for 10.1.1.0/24. The FW on A-site routes the REAL B-addresses through it's tunnel interface.

If the FW on B-site also establisches connections through VPN, it's tunnel interface has to be addressed and src-NAT should be applied in the policy. Additional routes are: on A-FW -> B-FW-tunnel-interface network, on B-FW -> real IPs of A-site.

If VPN fails, the tunnel interfaces go down and these routes become inactive. The FWs look for alternative routes and communicate through DMZs, without NAT.

Kind regards,

Edouard

Hi Edouard,

I am going to implement this in a few weeks. You made things really clear for me. Many thanks for all the effort.

I will give it a try getting it up and running.

The moment it works I'll let you know.

Again, many thanks for your helpfull answer.