Screen OS

Hi;

Here is my cases.

Site A : SSG 140 firmware 6.2 (subnet: 192.168.70.x)

Site B : ASA (subnet 192.168.50.x)

Site C: HQ (subnet 10.10.x.x)

Site A <--- site to site VPN --> Site B   (SSG140 and ASA)

Site B <---- T1 link ---> Site C  (Router B1 to Router C1 via T1)

Currently, my computer at Site A communicate with Site B no problem.

What configuration is required to allow the traffic for Site C from Site A traverse the existing site to site VPN tunnel.

Please see my network diagram example file.

Attachment(s)

case1.pdf   110 KB 1 version

Hi,

If you have a route based VPN between A & B then you need to do the below steps:

1: Please check the proxy ID's on both the sides, whether it's none or 0.0.0.0/0 or any , shouldn't be any subnet specific otherwise you need have both the subnets configured properly.

2: On site A add a route for the subnet 10.10.x.x poiting to the tunnel interface. I hope Site B knows how to reach to subnet 10.10.x.x.

3: Site C should have routes for the subnet: 192.168.70.x via SIte B so traffic could go to the tunnel.

Thanks,

Vikas

ALso, modify the security policies accordingly to allow the traffic between all the subnets.

Thanks,

Vikas

How can I identify, if the route base VPN or policy base VPN is in use?  I can see the security policy to control the "permit" and "deny" of traffic coming in and out for subnet.

With a policy VPN you create the policy and choose an Action of "tunnel" instead of permit.  You can only permit then, you cannot create deny policies.

With the route based vpn you will find a binding to a tunnel interface on your "Autokey IKE" policy in the advanced tab.  There is no interface binding on the policy VPN.

Also with route VPN you need to create routes into the tunnel interface for the desired subnets, probably static routes in this situation.

thanks!

I also talked to the Cisco technician, she point out that the traffice from Site A to Site C is dropped by ASA firewall at Site B because the VPN phase 2 ESP value issue.  And she asked me to check the configuration on Juniper.

She told me that she can see the "esp" value from Site A to Site B (ASA), but there is no esp value passing through from Site A to Site C.

Can I have two command like this on the same vpn tunnel?  One for site B, and one for Site C.

set vpn "Site_B" gateway "Site-b-gateway" replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
set vpn "Site_B" monitor source-interface ethernet0/8.11 destination-ip 192.168.50.254 optimized rekey
set vpn "Site_B" id 0x1 bind interface tunnel.1
set vpn "Site_B" dscp-mark 0

set vpn "Site_B" proxy-id local-ip 192.168.70.0/16 remote-ip 192.168.50.0/16 "ANY"

set vpn "Site_B" proxy-id local-ip 192.168.70.0/16 remote-ip 10.10.0.0/16 "ANY"

Yes, for your setup you will need to have two proxy-id pairs setup to send the required traffic.  But the subnet mask on the 192.168.70 and 50 should be 24 so they don't overlap

set vpn "Site_B" proxy-id local-ip 192.168.70.0/24 remote-ip 192.168.50.0/24 "ANY"
set vpn "Site_B" proxy-id local-ip 192.168.70.0/24 remote-ip 10.10.0.0/16 "ANY"

Remove the dscp marking unless you have this configuration setup on both sides, this sometimes turns on by default and if you are not fully configured can cause issues.

set vpn "Site_B" dscp-mark 0

Confirm you have the remote routes setup to the tunnel

set route 10.10.0.0/16 interface tunnel.1
set route 192.168.50.0/24 interface tunnel.1

Confirm the monitor source interface is in the ip address range 192.168.70.0/24

monitor source-interface ethernet0/8.11

after adding line to my setting, the original VPN link between 192.168.70.0 and 192.168.50.0 break.

set vpn "Site_B" proxy-id local-ip 192.168.70.0/24 remote-ip 10.10.0.0/16 "ANY"

look like my device does not accept two "set vpn "Site_B" line"

Sounds like you need to upgrade to ScreenOS 6.3 version.  Prior versions only supported have one proxy-id pair.  With ScreenOS 6.3 you can have multiple pairs at the same time.

Be sure to verify that you have the new ScreenOS signing key on your device BEFORE the upgrade.  If you have the old key and attempt the upgrade the device can fail to boot anymore.

https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16495

thanks!

this is what I thought.  Is there impact on my existing configuration after applying the new firmware ?

Assuming you have a current configuration in 6.0 - 6.2, there are no issues at all in the upgrade.  I have done many of these over the years and the configurations are compatible.

I have made my time to upgrade SSG140 firmware to 6.3.0r22.  Also; I tried to pair the proxy-id to accept two different remote subnet - Site A and Site B.

However; when I tried to tracert route Site B, it still not working.

You will need to verify that these configuration objects are the same on the ASA and the SSG.  These need to contain

Proxy-id on the SSG

ACL for the VPN on the ASA

192.168.70.0/24 - 192.168.50.0/24 
192.168.70.0/24 - 10.10.0.0/16 

Then confirm routing:

SSG needs a static route to the tunnel interface for both remote networks

192.168.50.0/24 & 10.10.0.0/16

Cisco router B needs a static route to 192.168.70.0/24 to cisco router A

Cisco router A needs a static route to 192.168.70.0/24 to the ASA

Confirm a security policy allows from your local subnet to the tunnel interface zone on the VPN

Confirm the VPN is active:

SSG

get ike

get sa

If VPN is not up

https://kb.juniper.net/InfoCenter/index?page=content&id=KB9221

thanks for your response.

In order to have site to site vpn for Site A and Site B, I have the following configuration.  Because I am not familiar with Juniper, to have it extend to Site C.  How can I add the route for Site C?

set vpn "Site_B" proxy-id local-ip 192.168.70.0/16 remote-ip 192.168.50.0/16 "ANY"

set policy id 3 from "Untrust" to "Trust"  "SiteB" "192.168.70.0/16" "ANY" permit log count
set policy id 3
exit
set policy id 2 from "Trust" to "Untrust"  "192.168.70.0/16" "SiteB" "ANY" permit log count
set policy id 2
exit

set route 192.168.50.0/16 interface tunnel.1