ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Arzo
Contributor
Arzo
Posts: 160
Registered: ‎11-12-2007
0
Accepted Solution

Policy Based VPN

Options

‎12-05-2007 03:37 AM

Dear All,
i used to configure policy based vpn from long time ago without any problems, i'm confused here that these days its not working unless i enable RIP on the trust interface !! which i do remember (or maybe i'm wrong)that i dont need to enable it !! anyone can help me please.. should the policy based VPN work without enabling RIP on the trust zone.. !!!
Tariq Morad
Message 1 of 6 (18,728 Views)
 
Reply
Distinguished Expert Distinguished Expert
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Policy Based VPN

Options

‎12-05-2007 02:38 PM

RIP is most definitely NOT required for policy-based VPNs. What error are you seeing in event log? Can you post relevant configs? In particular, IKE, VPN and tunnel policy configs.
Message 2 of 6 (18,717 Views)
 
Reply
chintang
Visitor
chintang
Posts: 8
Registered: ‎12-05-2007
0

Re: Policy Based VPN

Options

‎12-05-2007 11:37 PM

for your Trust and Untrust interfaces, you are using NAT or ROUTE?
Message 3 of 6 (18,705 Views)
 
Reply
Arzo
Contributor
Arzo
Posts: 160
Registered: ‎11-12-2007
0

Re: Policy Based VPN

Options

‎12-06-2007 02:23 AM

thank you rkim and chintag for taking care of this issue, well.. here is the configuration for the hub and spoke1.. spoke2 is the same is spoke1 so i didnt send it.

the VPN is Active and UP on hun when i'm using RIP without enabling it on the trust interfaces, but its active and down on both spokes.

i used static routes and worked fine, but i need to use RIP. the configuration is with static, if you want me to configure it as RIP and send it i will. thanks a lot.
Tariq Morad
Attachment Desktop.zip ‏3 KB
Message 4 of 6 (18,698 Views)
 
Reply
Distinguished Expert Distinguished Expert
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007

Re: Policy Based VPN

Options

‎12-06-2007 10:43 AM

VPN shows active/down because VPN monitor is failing unless a route exists for the hub network. Out of curiosity, why are you using policy-based VPN for this? When using a dynamic routing protocol across VPNs, a route-based VPN is recommended. From the looks of your configs, I see no reason why you cannot use route-based. Due to the nature of RIP broadcasts or RIP/OSPF multicast, I don't recall either of these protocols work properly across policy-based VPNs.
 
My recommendation is change this to a route-based VPN and apply RIP on the tunnel interfaces.
Message 5 of 6 (18,683 Views)
 
Reply
Arzo
Contributor
Arzo
Posts: 160
Registered: ‎11-12-2007
0

Re: Policy Based VPN

Options

‎12-08-2007 11:05 PM

thank you so much for the great info, your efforts are appreciated.
Tariq Morad
Message 6 of 6 (18,642 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.