ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0
Accepted Solution

Policy Based VPN

Dear All,
i used to configure policy based vpn from long time ago without any problems, i'm confused here that these days its not working unless i enable RIP on the trust interface !! which i do remember (or maybe i'm wrong)that i dont need to enable it !! anyone can help me please.. should the policy based VPN work without enabling RIP on the trust zone.. !!!
Tariq Morad
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Policy Based VPN

RIP is most definitely NOT required for policy-based VPNs. What error are you seeing in event log? Can you post relevant configs? In particular, IKE, VPN and tunnel policy configs.
Visitor
chintang
Posts: 8
Registered: ‎12-05-2007
0

Re: Policy Based VPN

for your Trust and Untrust interfaces, you are using NAT or ROUTE?
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Re: Policy Based VPN

thank you rkim and chintag for taking care of this issue, well.. here is the configuration for the hub and spoke1.. spoke2 is the same is spoke1 so i didnt send it.

the VPN is Active and UP on hun when i'm using RIP without enabling it on the trust interfaces, but its active and down on both spokes.

i used static routes and worked fine, but i need to use RIP. the configuration is with static, if you want me to configure it as RIP and send it i will. thanks a lot.
Tariq Morad
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007

Re: Policy Based VPN

VPN shows active/down because VPN monitor is failing unless a route exists for the hub network. Out of curiosity, why are you using policy-based VPN for this? When using a dynamic routing protocol across VPNs, a route-based VPN is recommended. From the looks of your configs, I see no reason why you cannot use route-based. Due to the nature of RIP broadcasts or RIP/OSPF multicast, I don't recall either of these protocols work properly across policy-based VPNs.
 
My recommendation is change this to a route-based VPN and apply RIP on the tunnel interfaces.
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Re: Policy Based VPN

thank you so much for the great info, your efforts are appreciated.
Tariq Morad
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.