Screen OS

 Hello all,

maybe it's a too simple question. I've to setup a SSG-5 with two VPN tunnels. I'm completely new to Juniper devices and only have an example config and the documentation.

My question is: how do I setup MIP with the same IPs for the two tunnels? They are configured for redundancy and so I need to map the IPs on both. Or do I've to configure it in a complete different way?

Kind regards,

Funny

Hello,

You can make use of the below link:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB8157&actp=search

Note:- That link talks about accessing same MIP from Internet and loopback. Same principle should apply for accessing MIP from two different tunnels.

Try to do something like this:

Let us say ethernet1 terminates ISP1. It is end point of one tunnel with its tunnel interface tunnel.1

And ethernet2 terminates ISP2. It is end point of another tunnel with its tunnel interface tunnel.2.

Configure MIP for loopback.1

Now put eth1, eth2, tunnel.1, tunnel.2 & loopback.1 in untrust zone.

put tunnel.1 and tunnel.2 in loopback-group loopback.1.

Regards,

Rushi

Sorry, I don't get it to work.

Please let's explain my situation:

- SSG5 directly connected to the internet on ethernet0/0

- Two VPN-Tunnels, one with 172.16.x.66/30, second with 172.16.x.70/30

- ethernet0/2 connected to my DMZ with 10.x.x.165/28 (on bgroup0)

- The internal server has IP 192.168.x.10/24

- My partner company will connect to 172.16.x.74/29

I've created mip for 172.16.x.74 to 192.168.x.10 on bgroup0 but that doesn't work. You example with loopback.1 does'nt work either, but I think it's because I miss-explained my goal 🙂

I don't unterstand the concept in that case...

I think I follow you now.  You need to put the MIP on the tunnel interface not the bgroup interface.

Oh, that makes sense 🙂

But both tunnels are terminating on the same site (one is primary, the other is fallback). I think I've to create some kind of grouping like in the exmaple from rtilak and put the MIP on the group?

Sorry for those annoying question. But the partner company told us that this is one of the working devices for their tunnel config, but they don't give configuration support and I've never worked with Juniper devices before. So maybe there are more questions   

Sorry, I missed the part where there were two VPN tunnel interfaces.

Yes, you will create the loopback and put the MIP on the loopback.

And create the tunnel interfaces added to the loopback group.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB4189

Yeah, I think I got it 🙂 I'll try on monday!

Nothing more to say than: it works 🙂

Thanks a lot for all the help!

One tiny additional question:

tunnel.1, tunnel.2 and loopback.1 are in the DMZ zone

bgroup0 is in the Trust zone

Two policies allow traffic from Trust to DMZ and vice versa.

I was able to ping from my site to the partner but not from them to me. After enable debugging, I saw that the device searched for a rule to allow traffic from zone 3 (DMZ) to zone 10 (Global). After adding such a rule it worked.

Why is that rule required?

Rules are required for the direction of traffic flow initiated ingress Zone to egress Zone.

Packet arrives on an interface, the assigned zone of this interface becomes the ingress zone of the policy.

Route lookup occurs for the destination address the interface that the routing is sending the packet becomes the egress zone of the policy.

So you policy needs to be setup between these two zones.  With a VPN traffic from the local site to the remote site has an egress zone of the tunnel interface and an ingress zone of where the packet came into the firewall.

Traffic from the remote side of the VPN has an ingress zone of the tunnel interface and an egress zone of where the traffic leaves the firewall.

I think I have expressed myself wrong.

The concept of zones and plocies is clear. What I mean:

If I send data from my site to the partner, they arrive on the bgroup0 (zone Trust) and go to the tunnel (zone DMZ). A policy allows that. That works.

If the partner sends data, they arrive at the tunnel (zone DMZ) and go to the bgroup0 (zone Trust). A policy allows that, but it does not work! I had to create a rule to all traffic from DMZ to zone "Global".

I don't understand, why that rule (DMZ -> Global) is required.

Sorry, I had forgotten we were talking about a MIP here.  You are right this is confusing.

MIP are in the global zone for some reason.  Thus policies that use MIP are written to the global zone.  When you create a MIP you will see that it becomes available on the web UI select list in all zones as a result.  And when you pick the MIP object the policy is created in the global zone on that side.

But in your case your MIP is an entire network and your policies more specific so you needed to create them manually this way.

I have also noticed that this only seems to be enforced when the MIP is the source of traffic.  For some reason unknown to me the destination hit of the MIP object still seems to work with the policy written to the interface zones.

OK, I understood.

I am very grateful to you for your patience with me 🙂

This tech note shows how to create a VPN between sites with overlapping subnets using the MIP on the tunnel interfaces.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB5346