Screen OS

Please excuse my ignorance on this as I have NEVER configured an SSG before.

 

Basic scenario is:-

 

Subnet ---> SSG140 --->SSG5---->other subnet

 

Basically, I need to access Subnet from other subnet via an IPSec tunnel....  I kind of think I know the basics but I cant get the **bleep** thing to work at all, or, in fact, I am not really sure if my config is right for it as there is already 1 tunnel going through the untrusted Ethernet0/0 interface as follows:-

 

corp --->SSG140---->SSG5---->Other subnet

 

In fact, can you have 2 x IPSec tunnels exiting the same interface (ethernet0/0)? Or do I need to cable up and configre another interface for the second tunnel?

 

I have configured IPSec tunnels on the SRX's with no problems, but although this, outwardly, appears easier, it is causing me a real headache....

 

Thanks in advance

Here are the high-level steps:

1) Create "Gateway" with matching authentication and encryption settings. You can, indeed, have more than one gateway bound to the same interface.

2) If you want to run stuff like dynamic routing, then create a tunnel interface as well.

3) Create VPN using the defined gateway, specifying the two subnets as proxy ID. You can bind here the tunnel interface if needed. Also, enable VPN Monitor (and the Optimize and Rekey options for good measure).

4) Watch logs for errors that will say if anything is wrong.

5) Post config here if there's still trouble.

Thank you...

 

I will test some configurations based on this today.

 

Will let you know the results.

 

Much appreciated.

 

 

Hi, this kb document has helped me in the past: http://kb.juniper.net/InfoCenter/index?page=content&id=KB22091

Managed to get the VPN up and running as in the logs and the J-Web it shows the tunnel as "UP" and the Phase 2 proposals completed.

 

I have the network test as shown here:-

 

Laptop -> SSG20 int e0/3 (trust) -> int e0/0 (untrust) --------- SSG20 int e0/0 (untrust) -> int e0/3 (trust) -> Laptop

 

When I try and ping one laptop from the other, I can see the traffic going across the tunnel, but then get an age out (Log extract shown below). From what I can see (from the light sequence) it gets to the far side untrusted interface but something is stopping the traffic hitting the e0/3 interface at the far end. This is the same in both directions.

 

2012-05-16 12:12:01    0:01:02 10.18.158.20    15360 10.18.159.159     512 ICMP
        8046    ethernet0/3
Close - AGE OUT              1 10.18.158.20    15360 10.18.159.159     512
           3    tunnel.2
2012-05-16 12:11:53    0:00:59 10.18.158.20    15104 10.18.159.159     512 ICMP
        8043    ethernet0/3
Close - AGE OUT              1 10.18.158.20    15104 10.18.159.159     512
           3    tunnel.2
2012-05-16 12:11:49    0:01:00 10.18.158.20    14848 10.18.159.159     512 ICMP
        8041    ethernet0/3
Close - AGE OUT              1 10.18.158.20    14848 10.18.159.159     512
           3    tunnel.2
2012-05-16 12:11:04    0:00:00 10.18.158.20    15616 10.18.159.159     512 ICMP
        8047    ethernet0/3
Creation                     1 10.18.158.20    15616 10.18.159.159     512
           3    tunnel.2
2012-05-16 12:10:59    0:00:00 10.18.158.20    15360 10.18.159.159     512 ICMP
        8046    ethernet0/3
Creation                     1 10.18.158.20    15360 10.18.159.159     512
           3    tunnel.2
2012-05-16 12:10:54    0:00:00 10.18.158.20    15104 10.18.159.159     512 ICMP
        8043    ethernet0/3
Creation                     1 10.18.158.20    15104 10.18.159.159     512
           3    tunnel.2
2012-05-16 12:10:49    0:00:00 10.18.158.20    14848 10.18.159.159     512 ICMP
        8041    ethernet0/3
Creation                     1 10.18.158.20    14848 10.18.159.159     512
           3    tunnel.2

Its all good.

 

The problem was that I had not created a Policy Element at one end. I created the element and created a new Policy and it is now all working beautifully. Thanks for the help guys.