ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Bilal.Nawaz
Posts: 8
Registered: ‎11-21-2010
0

Route Based VPN IPSEC Split tunneling + Routing - Confused now!

Hi All,

 

Im fairly new to Juniper having been studying Cisco for quite a while I thought it was time for a change. I actually find Juniper more interesting somewhat and much easier to configure. Anyway, things cut short - I'm setting up a VPN between Site A and Site B. IPSEC is configured between Site A and B. I can see the VPN as "up" on both ends and I have added some routes in to allow LAN-to-LAN connectivity. However! All seems good, only until I try to configure my next challenge. What I want to achieve is split-tunneling in a sense but only with the traffic of one host being on VPN tunnel, all other hosts will go to the split - direct to the internet. So if you look at the attached drawing im aiming to go from Site B Host 192.168.1.10 (follow the green arrow) through the untrust interface into the VPN tunnel to Site A. I think i've managed to get that far because when I follow up a trace-route from the 192.168.1.10 host I see the untrust interface of Site A (82.5.5.3) as the last destination I get to. As you can probably see there is a host on Site A (10.0.0.10) that goes to our service on the internet (100.50.25.1). (Green and Yellow Route). Should all make sense if you follow the arrows.

So I've done quite a bit but cant get my head round the last bit perhaps need that little help in understanding whats to configure next. Just in summary i want to go the Green arrow starting from 192.168.1.10 to 100.50.25.1 and route back to 192.168.1.10 through the same way it came.

If someone can explain if i need to do policy based VPN or if i can stick to route based VPN (which im quietly confident i will be able to). I've put a static route in on Site B for 192.168.1.10 traffic to go to the Site A GW. But at this point i can't think around it.

So, i hope i've explained and laid out everything easy so someone can help me out.

Please remember i'm beginner :-)

TIA

CCNA,CCNP,CCIE RS Written, JNCIA-FWV
Trusted Contributor
Tica
Posts: 63
Registered: ‎02-06-2009
0

Re: Route Based VPN IPSEC Split tunneling + Routing - Confused now!

Hi Bilal.Nawaz, 

 

If I am understanding the correctly you want to start from your host in site B go over Site A to reach 100.50.25.1

If so, you just need to add a rout for 100.50.25.1 in site B to go over the vpn and then allow in site A traffic from site B towards the server on internet.

 

Kind regards

Tim

Visitor
Bilal.Nawaz
Posts: 8
Registered: ‎11-21-2010
0

Re: Route Based VPN IPSEC Split tunneling + Routing - Confused now!

Hi Tim,

 

Thanks for your reply. I had already put a route for the 100.50.25.1 server on site B to go via the tunnel. Everything else i want it to go out to the internet (red arrow). Anyway, I was playing aruond with this yesterday and though "hows the NAT" happening.

Policy on Site A which says from trust to untrust --> NAT it. So I am able to gain connectivity from the 192.168.1.10 host to the 100.50.25.1 host via the tunnel.1 interface. However, Site B will also need to do NAT too right? If hosts are to go out to the internet they need to be NAT'ed. This comes to a point when i configure that also, i dont get LAN to LAN connectivity either. How can I reach this goal of having a split tunnel - having only one host from Site B going through the VPN Tunnel. Not sure if i've explained it well enough - so let me know.

 

Appreciate your help.

 

Bilal

CCNA,CCNP,CCIE RS Written, JNCIA-FWV
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.