Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Route-based dial up VPN into site-to-site VPN

    Posted 01-30-2012 07:19
      |   view attached

    Hi there,

     

    I have a site to site route based VPN between my SSG 320 and client firewall and this is working fine.

    We now have a requirement to be able to get into client subnet by using my SSG 320 as gateway.

    To that means I have set up a route-based dial up VPN but I am unable to ping/RDP into clients subnet.

    Network diagram:

    NSR 10.1.1.1/24 <-> 172.16.10.0/24 SSG 320 10.232.226.40/29 <-> 10.175.0.0/24 Client Firewall.

    I am using 2 interface tunnels (unnumbered). I am using Xauth, so I have added the new ip  pool (10.1.1.0/24) to policy and tunnel. I created an untr-2-untr policy (between ip pool and customer private subnet), enabling source NAT.

     

    I have added a ff to the firewall between 10.1.1.1 (ip pool)and 10.175.0.0 (client subnet) but when I ping after successfully connecting the debug stays empty.

     

    My question is what routing/policy am I missing? Does the client firewall need a route back to the ip pool 10.1.1.1? I was kind of hoping that when going through the SSG 320 the packet's IP would change.

    Is there any guide to set this up as I looked everywhere on Kb and forums for the last couple of weeks, but apart from the advice to use route based vpn's instead of policy based I cannot see much else.

    1.Route based Dial-up VPN set up identical to http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272

    2. Route based LAN to LAN VPN set up like http://kb.juniper.net/InfoCenter/index?page=content&id=KB14330

    What I want to do is called a Back to back vpn I believe.

     

    Please see cropped config


     

    Attachment(s)

    txt
    dialup-sitetositecombined.txt   12 KB 1 version


  • 2.  RE: Route-based dial up VPN into site-to-site VPN

    Posted 02-09-2012 03:48

     

    Here's your problem:

    set vpn "Dial Up xxx VPN" proxy-id local-ip 172.16.10.0/24 remote-ip 255.255.255.255/32 "ANY"

     

    You only have your site's IP subnet (172.16.10.0/24) defined in the dial-up VPN proxy-id settings, so the client isn't even going to try to send packets to 10.175.0.0/24 down the tunnel. For this to work, you'll need to add a second proxy-id pair to your dial-up VPN definition.

     

    If you're running ScreenOS 6.2 or lower, you'll need to either define a second dial-up VPN with 10.175.0.0/24 as the local proxy-id setting, or change to a policy-based VPN. If you're running ScreenOS 6.3, you can just add a second proxy-id pair to the existing VPN.



  • 3.  RE: Route-based dial up VPN into site-to-site VPN

    Posted 02-10-2012 11:42

    Hi Spud,

     

    Thank you for looking at my issue.

    Yes you are correct the proxy-id was incorrect I had already changed it to 10.0.0.0 since everything in my network is in the 10.0.0.0/8 subnet.

    Packets still get dropped however when reaching the client firewall and a DIP did not seem to work. I am working with jtac on the issue...



  • 4.  RE: Route-based dial up VPN into site-to-site VPN
    Best Answer

    Posted 02-13-2012 01:47
    Hi, FYI I got this issue fixed with the excellent help of jtac. Three issues: 1. Adapter had to be "preferred" in NSR client to be able to get ip address from IP pool. 2. Proxy id/subnet had to encompass both main site and branch networks 3. A DIP was required on intrazone untrust policy to fix client firewall dropping packets because they weren't NAT'd.