Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG20

    Posted 04-22-2013 03:16

    datasheet for SSG20 says it'll support 25 concurrent VPN tunnels.

     

    Does that apply to site-to-site & VPN client tunnels?



  • 2.  RE: SSG20

    Posted 04-22-2013 07:10

    Hi,

     

    Yes, it is inclusive all tunnels.

     

    Thanks.

    Hardeep



  • 3.  RE: SSG20

    Posted 04-22-2013 09:17

    If a site to site connection allowed two local subnets access to the remote network, would there be two tunnels established?



  • 4.  RE: SSG20

    Posted 04-22-2013 21:16

    Hi,

     

    You are right.

    It will create 2 SAs (tunnels)

    get sa, can be used to view the existing tunnel count

     

    Thanks.

    Hardeep



  • 5.  RE: SSG20

    Posted 04-24-2013 07:29

    If a site to site vpn allowed local networks 10.0.0.0 and 10.10.0.0 access to remote networks 192.168.1.0 and 192.168.2.0, I understand there will be 8 SA's (2 per network 1 for each direction)

     

    Would this mean 8 VPN tunnels or 4 VPN tunnels in use?



  • 6.  RE: SSG20

     
    Posted 04-24-2013 07:54

    ScreenOS treats a pair of SA's (one in each direction) as a single SA.

     

    for example:

     

    SA id 1 will be counted as one SA (even though there's one in each direction).

     

    00000001<         1.1.1.2  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
    00000001>         1.1.1.2  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0

     

     

    Regards,

    Sam



  • 7.  RE: SSG20

    Posted 04-24-2013 10:07
    @muph wrote:

    If a site to site connection allowed two local subnets access to the remote network, would there be two tunnels established?

    This depends on how the VPN is configured. If you have multiple proxy-id pairs defined, then a separate SA will be created for each proxy-id pair. If you don't bother with proxy-ids (e.g. if you have a route-based VPN between two Junipers, which will use the proxy-id 0.0.0.0/0 on both sides of the tunnel), then only one SA is created.

     

    @muph wrote:

    If a site to site vpn allowed local networks 10.0.0.0 and 10.10.0.0 access to remote networks 192.168.1.0 and 192.168.2.0, I understand there will be 8 SA's (2 per network 1 for each direction)

     

    Would this mean 8 VPN tunnels or 4 VPN tunnels in use?

    You don't get one SA per direction; you get one SPI per direction. An SA is a logical grouping of SPIs (i.e. an SA is bidirectional). In your example, you would see 4 SAs on either firewall, meaning 4 VPN tunnels.

     



  • 8.  RE: SSG20

    Posted 04-24-2013 07:57

    .



  • 9.  RE: SSG20
    Best Answer

     
    Posted 04-24-2013 08:04

    yes, you are correct.  4 SA's in your example.

     

    Regards,

    Sam