ScreenOS Firewalls (NOT SRX)
Reply
Contributor
klwong
Posts: 23
Registered: ‎11-11-2009
0

Policy base VPN tunnel usage

When creating policy base VPN, I understand we need to create a tunnel interface for routing purpose.

 

Can we use the same tunnel for different site-to-site VPN, or I must have one tunnel per site-to-site VPN under policy based VPN.

 

Reason for asking is the SSG5 device only support 10 tunnels, so if I need one tunnel per site-to-site VPN, I am restricted to have maximum 10 site-to-site VPN as well.

 

Any comments ?

Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Policy base VPN tunnel usage

Hi,

 

Actually, you have it backwards.  Policy Based VPN's don't leverage tunnel interfaces, Route Based tunnels do.  However, you can use NHTB (Next Hop Tunnel Binding) when configuring multiple route based VPN's per tunnel interface.  The older approach is to use one tunnel interface per VPN, but as you mentioned has limitations based on the model. 

 

Once scenario I come across a lot if people configuring Policy Based VPN's because they want to control traffic using Policy.  You can do the same with Route Based VPN's, you just need to make sure the tunnel interface is bound to a zone other than "trust".  I like to create a custom "vpn" zone and bind all my tunnel interfaces to it.  That way when I create policy I use tust to vpn and vpn to trust.  I hope this helps.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
klwong
Posts: 23
Registered: ‎11-11-2009
0

Re: Policy base VPN tunnel usage

So for route based VPN say:

 

VPN 1 from local 192.x.x.x to remote 172.17.x.x via Gat eway1

VPN 2 from local 192.x.x.x to remote 172.17.y.y via Gateway 2

 

Even he above VPN has different remote gateway, under the 'Routing', 'Destination', I can have the same tunnel interface for both 172.17.x.x and 172.17.y.y, because the tunnel is binding to the same local interface ??

 

 

Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Policy base VPN tunnel usage

Hi,

 

I would recommend reviewing the documentation for Route Based VPN's.  I include the Screen OS 6.1 link below since this is a popular flavor of Screen OS these days.  For this to work, you can bind the VPN's to the same tunnel interfaces, but you will need to create NHTB entries along with the proper routes.  I hope this helps.

 

ScreenOS 6.1 VPN Chapter

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.