Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  SSG140 with two untrust interfaces

    Posted 07-23-2009 10:32

    Hi,

     

    I have an SSG140 here with two untrust interfaces:

     

    eth0/0: static default route

    eth0/1:"connected", default route learnt from ISP

     

    With the default setting for route preference ethernet0/1 will have the active default route. This is fine with me. But: On ethernet0/0 I have several VPN tunnels. These tunnels do not work anymore as soon as ethernet0/1 is active.

     

    My goal:

    - all VPN traffic on ethernet0/0

    - all other traffic on ethernet0/1

     

    Is there a simple solution for this which does not require PBR or source routing?

     

    What puzzles me: I have another installation which is configured the same (except it's an SSG5), but there I have the VPN tunnels on eth0/1 ("connected") and all other traffic on eth0/0 (static route). With that setup everything works perfectly.

     

    Any hint?

     

    Thanks

    Daniel 


    #routing


  • 2.  RE: SSG140 with two untrust interfaces

    Posted 07-23-2009 11:50

    hi you can use 2 vr for 2 internet connection. 1 vr for VPN and 1 VR for other. after that u can user source routing to distribute the route

    let say if source ( vpn user ) next hop is vr-vpn and for source( other ) the next hop is vr-internet

     

     

    Thanks

     

    EL



  • 3.  RE: SSG140 with two untrust interfaces

    Posted 07-23-2009 13:30

    Design: 

    -Traffic is passing through clear route( Non VPN) it can failover to VPN route

    -Traffic is passing through VPN route it cant failover to clear route( Non VPN)

     

    SSG140:

    VPN traffic is falling over the clear route  which firewall not allowed it.

    SSG5:

    Clear traffic to VPN traffic which is doing fine

     

    Thanks

    Atif



  • 4.  RE: SSG140 with two untrust interfaces
    Best Answer

    Posted 07-23-2009 22:18

    I would steer you to read this article on fellow JNet member c0d3rs blog, one of the many good articles on his site.  The method that I am going to describe is based on his article.  

     

    The part to pay specific attention to is the "Import default route from another vrouter" 

     

    http://www.corelan.be:8800/index.php/2009/04/19/juniper-screenos-default-route-manipulations-and-redistributions/

     

    Multiple virtual routers as someone has explained in this thread is one way to do it.  

     

    e0/0 untrust zone, untrust-vr

    e0/1 internet zone, inet-vr

     

    Create 2 route-maps, one for each external virtual router.  They will export their default route to the trust-vr.  Route maps are great for manipulating a route as it passes from virtual router to virtual router.  For your requirements, you would want to make sure that e0/0 has a higher metric in the route map export.  This will allow the route pointing to e0/1 to be active for the default route.  That will force all traffic to head to that virtual router, and outbound.  Then your more specific vpn routes can go over your e0/0 interface.  

     

    **The only thing you need to be careful of during your export is to pay attention to how your default route is appearing.  If its a connected route then c0d3rs example is perfect.  If its a static, then change the protocol to static.   

    Message Edited by shadow on 07-24-2009 12:20 AM
    Message Edited by shadow on 07-24-2009 12:27 AM


  • 5.  RE: SSG140 with two untrust interfaces

    Posted 08-05-2009 02:10
    Ok, found my original login again... sorry, and thanks again.


  • 6.  RE: SSG140 with two untrust interfaces

    Posted 08-05-2009 01:59

    Thanks everyone! I did as suggested and created two new virtual routers. This way it works perfectly. It was quite some work, as I had to move an interface to one of the new virtual routers and therefore also had to change the zone. To do this I had to remove all VPN tunnels first. Anybody knows a better way to move an interface without first to remove everything connected to the interface?

     

    Well, anyway, thanks to the config export/import feature this was possible without creating everything anew.

     

    The only problem I have is a route-based VPN tunnel which does not work anymore (to be precise, which only works outgoing and not incoming). Must be some routing problem I could not figure out yet.

     

    Daniel

     

    P.S. My screen name is now Sofatime1 instead of Sofatime. Did Juniper change anything with the login procedure?