ScreenOS Firewalls (NOT SRX)
Reply
Visitor
kfarooq
Posts: 2
Registered: ‎05-26-2011
0

Route based VPN with Natting

Dear All,

              I am trying to create a vpn with one of our vendor. My details are as follows:

 

My Side                   Natted IP                                                                        Vendor

172.16.59.10   -> 202.16.77.4                                                                 Public IP  ->   10.1.1.10/32 , 10.2.2.10/32, 10.3.3.10/32

 

Here is my sample config:

 

 

set interface "tunnel.6" zone "Untrust"
set interface tunnel.6 ip unnumbered interface untrust
set interface tunnel.6 dip 7 202.16.77.4 202.16.77.4
set address "Untrust" "10.1.1.10/32" 10.1.1.10 255.255.255.255
set address "Untrust" "10.2.2.10/32" 10.2.2.10 255.255.255.255
set ike p1-proposal "M_K_Ph1" preshare group2 esp 3des md5 second 86400
set ike p2-proposal "M_K_Ph2" no-pfs esp 3des md5 second 28800
set ike gateway "M_K_Ph1" address 8.3.9.6 Main outgoing-interface "untrust" preshare "********************" proposal "M_K_Ph1"
set ike gateway "M_K_Ph1" cert peer-ca all
set vpn "M_K_Ph2" gateway "M_K_Ph1" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"  "nopfs-esp-3des-sha"
set vpn "M_K_Ph2" monitor optimized rekey
set vpn "M_K_Ph2" id 122 bind interface tunnel.6
set vpn "M_K_SMS1_10" gateway "M_K_Ph1" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"  "nopfs-esp-3des-sha"
set vpn "M_K_SMS1_10" monitor optimized rekey
set vpn "M_K_SMS1_10" id 124 bind interface tunnel.6 
set policy id 33 from "Trust" to "Untrust"  "Trust_LAN" "10.2.2.10/32" "ANY" nat src dip-id 7 permit log
set policy id 32 from "Trust" to "Untrust"  "Trust_LAN" "10.1.1.10/32" "ANY" nat src dip-id 7 permit log
set vpn "M_K_Ph2" proxy-id local-ip 202.16.77.4/32 remote-ip 10.1.1.10/32 "ANY"
set vpn "M_K_SMS1_19" proxy-id local-ip 202.16.77.4/32 remote-ip 10.2.2.10/32 "ANY"
set route  10.1.1.10/30 interface tunnel.6
set route  10.3.3.10/32 interface tunnel.6
set route  10.2.2.10/32 interface tunnel.6


 

if i remove this line

set vpn "M_K_Ph2" id 122 bind interface tunnel.6

The VPN start working with the first IP 10.1.1.10/32. On the other hand if i add this link VPN doesn't work.

Please Help this is urgent.

 

Regards

Muhammad Kamran Farooq

Super Contributor
srigelsford
Posts: 203
Registered: ‎04-14-2008
0

Re: Route based VPN with Natting

Hi,

 

the event log should give you some indication, however I would add a proxy-id on phase2 as a first step.

VPNs generally work if all setting on both sides match, so work with the remote side to see why their firewall is rejecting the VPN.

 

(also notice that one of your routes is /30 rather than the /32 you give in your explination)

 

Regards,

Sam.

Visitor
kfarooq
Posts: 2
Registered: ‎05-26-2011
0

Re: Route based VPN with Natting

Dear,

        I corrected the routing issue. Also there is no problem reported in event log. Can anyone tell me that Can i use one tunnel interface in multiple Phase2 of a VPN.

 

Regards,

Super Contributor
srigelsford
Posts: 203
Registered: ‎04-14-2008
0

Re: Route based VPN with Natting

Rather than use multiple phase 2s just use a proxy ID big enough to encapsulate all of them.

Proxy-IDs aren't routes, and don't affect anything, they just have to match both sides. Some vendors use them as routes though so go with something like:

202.16.77.4/32 <-> 10.0.0.0/22

 

Sam.

Contributor
khurram.khalid
Posts: 17
Registered: ‎05-25-2011
0

Re: Route based VPN with Natting

This is an important question that whethere we can attach mulitple phase 2 with single tunnel, because it is giving me error when i do the same in testing,

 

Can not create SA for VPN test

Can't clone a sa for vpn test

failed to create clone sa -1 (tunnel id d)

modify VPN binding failed.VPN: can't be modified

 

anyone who can give comments on it please.

 

Regards,

Khurram

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.