Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Route based VPN

    Posted 12-30-2009 01:34

    Hello,

    I create route based vpn between ssg-5 and mikrotik router-board 443
    VPN come up, but I can not access any IP in other side.

     

    my internal IP is 172.x.x.x/24 but I NAT IP to 10.210.0.0/24

     

    my config is:

     

    device-> 
set interface "tunnel.1" zone "VPN"
set ike gateway "vpn-gw" address 85.254.216.240 Main outgoing-interface "ethernet0/0" preshare "xxx" proposal "pre-g2-3des-sha"
set vpn "vpn" gateway "vpn-gw" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" 
set vpn "vpn" monitor
set vpn "vpn" id 0x2 bind interface tunnel.1
set vpn "vpn" proxy-id local-ip 10.210.0.0/24 remote-ip 10.0.0.0/8 "ANY" 
set policy id 15 from "Trust" to "VPN"  "172.0.0.0/24" "10.0.0.0/8" "ANY" permit log 
set policy id 16 from "VPN" to "Trust"  "10.0.0.0/8" "MIP(10.210.0.0/24)" "ANY" permit log 
set policy id 18 from "Trust" to "VPN"  "MIP(10.210.0.0/24)" "10.0.0.0/8" "ANY" permit log 

device-> get route | i tun
12      10.210.0.0/24          tun.1 0.0.0.0   C    0      0     Root
13      10.210.0.1/32          tun.1 0.0.0.0   H    0      0     Root
8         10.0.0.0/8              tun.1 0.0.0.0   S    10      1     Root
          
device-> get sa
total configured sa: 2
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000002<  85.254.216.240  500 esp:3des/sha1 d2b30d65  2326 unlim A/D    -1 0
00000002>  85.254.216.240  500 esp:3des/sha1 080cfaf6  2326 unlim A/D    -1 0

     

    when i try to traceroute any IP I get:

     

     

     

    C:\>tracert 10.8.8.3

Tracing route to 10.8.8.3 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.23.113.1
  2    25 ms    40 ms    12 ms  80.x.x.1 - my default gw
  3  80.x.x.1  reports: Destination net unreachable.

Trace complete.

     

    from other side:

     

     

    traceroute to 10.210.0.101 (10.210.0.101), 30 hops max, 40 byte packets
 1  10.8.8.1  0.108 ms  0.107 ms  0.121 ms - mikrotik
 2  10.210.0.1  26.475 ms  28.009 ms  19.922 ms - ssg-5
 3  * * *

     

    I changed Preference for route but it did not help.

     

    what is wrong in this configuration?

     

     



  • 2.  RE: Route based VPN

    Posted 12-30-2009 21:07

    Does tunnel.1 have an IP or is it ipunnumbered?  I normally use ipunnumbered and set the tunnel interfaces in the UNTRUST zone.  Policies are created from TRUST/DMZ/etc -> UNTRUST for VPN connection.



  • 3.  RE: Route based VPN

    Posted 12-31-2009 00:33

    Hi,

     

    tunnel interface have IP:

     

     

    device-> get interface | i tun
tun.1          10.210.0.1/24 VPN N/A   -   D   -

     

    Somehow traffic to 10.0.0.0/8 does not take in to account static routes.

     



  • 4.  RE: Route based VPN
    Best Answer

    Posted 01-01-2010 10:24

    Hi,

     

    First remove the command " set vpn "vpn" monitor"  as this Juniper proprietary. Non Juniper firewall would not understand it and that might be the reason that tunnel and VPN are Active DOWN.

     

    After that command , then try to send some PING traffic over the VPN  , traceroute is not the good test over VPN.

     

    If it is still not work , paste the following data:

     

    1) get route ip <destination IP address>

    2) set ff src-ip <destination IP address>

    3) set ff dst-ip <destination IP address>

    4) debug flow basic

    5) clear db

    RUn the PING test

    6) Press "ESC" to turn off the debug

    7) get db s

    😎 get event

     

     

    Thanks

    Atif



  • 5.  RE: Route based VPN

    Posted 01-01-2010 22:53

    Hello,

     

    after I remove "set vpn "vpn" monitor" I can ping any address.

     

    Thanks.