Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Primary & Backup VPN via the same tunnel interface?

    Posted 11-20-2013 06:49

    Hi Guys,

     

    Is it possible to have 2 separate VPN tunnels (route based VPN) binded to the same tunnel interface?

     

    The reason I'm asking is that I had one VPN tunnel up and running and tried to create new VPN tunnel (different peer ip) but when I bind it to the same tunnel interface (even if the second tunnel is not life yet) I'm loosking the connection.

     

    I can probably get this working via the separate tunnel interface but was wondering if I can use one tunnel interface instead.

     

    Any ideas?

     

    Regards,

    Dom



  • 2.  RE: Primary & Backup VPN via the same tunnel interface?

    Posted 11-21-2013 00:36

    Hi,

     

    I would request you to please refer this KB and see if you can figure out what's going wrong.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB7253&actp=search&viewlocale=en_US

     

    BR,

    Swati



  • 3.  RE: Primary & Backup VPN via the same tunnel interface?
    Best Answer

    Posted 11-21-2013 01:29

    Thanks a lot Swatik

     

    Will test today.

     

    Regardfs,

    Dom



  • 4.  RE: Primary & Backup VPN via the same tunnel interface?

    Posted 11-22-2013 03:39

    Swatik,

     

    I have edited the static routes in my routing table but that didn't work for some reason so had to create seperate tunnel interface and that worked without any issues.

     

    Will try to play with this again when have some more time.

     

    Thanks for your help



  • 5.  RE: Primary & Backup VPN via the same tunnel interface?

    Posted 11-22-2013 04:08

    Hi,

     

    The solution says:

     

    "The route would need to look like the following:

    set route 10.1.1.0/24 interface tunnel.3 gateway 172.16.10.1

    where 172.16.10.1 is the IP address of interface where the tunnel is terminated on the peer"

     

    Is the 172.16.10.1 IP is external interface address on the other end?

     

    The same as VPNs -> AutoKey Advanced -> GAtawey -> Remote Gateway -> Static IP Address ??



  • 6.  RE: Primary & Backup VPN via the same tunnel interface?

    Posted 11-22-2013 04:27

    Hi Dom,

     

    Yes, you are right.

     

    Firewall uses the IP address of the remote peer’s tunnel interface as the gateway in route and also for next-hop IP address in next-hop tunnel binding (NHTB) table which is set by command "set interface tunnel.x nhtb peer’s_tunnel_interface_addr vpn vpn_name"

     

    As mentioned in KB, you can also refer to the 'Multiple Tunnels Per Tunnel Interface' section in the C&E VPN volume for your ScreenOS version. ScreenOS Software Documentation. 

     

    BR,

    Swati

     



  • 7.  RE: Primary & Backup VPN via the same tunnel interface?

    Posted 11-22-2013 04:35

    Hi Swatik,

     

    Thanks for your reply.

     

    Is there a possibility to set next-hop IP address in next-hop tunnel binding (NHTB) via web interface?

     

    This is what I was probably missing.

     

     

    Regards,

    Dom

     

     



  • 8.  RE: Primary & Backup VPN via the same tunnel interface?

    Posted 11-22-2013 04:42

    Hi Dom,

     

    You can do it using below path:

     

    Network > Interfaces > Edit (for tunnel.x) > NHTB

     

    BR,

    Swati



  • 9.  RE: Primary & Backup VPN via the same tunnel interface?

    Posted 11-22-2013 04:43

    Found it.

     

     

    Network -> Interface -> tunnel.X -> Edit -> NHTB

     

     

    One more time thatnks a lot.



  • 10.  RE: Primary & Backup VPN via the same tunnel interface?

    Posted 11-25-2013 02:34

    Guys,

     

    Just to let you know it all works fine now via one tunnel.X interface.

     

    Thanks a lot.

    Dom