Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG5 VPN using Shrew client software + VPN _ SSG5 using the same Trust Zone

    Posted 02-06-2013 09:49

    HI,


    I moved all the ports to one single group on one zone 'trust' to create a VPN connection with Shrew client software, all ports in a group (group0) -  I am stuck for some reason.. maybe someone here can chime some light, I am sure is something very simple..

    So basically I am trying to do a vpn connection for inbound/outbound to the same zone (trust-to-trust)

    The connection with the client establishes just fine - the tunnel is UP - so I am connected but I cant ping anything.. I see the Dial-up policy is denying traffic but matter what i do or try I cant get it working.. maybe someone can suggest something I am missing...

    attached are the debug log and the configuration file..

    thanks for looking.. 

    Attachment(s)

    txt
    ssg5_cfg.txt   6 KB 1 version
    txt
    ssg5.log.txt   32 KB 1 version


  • 2.  RE: SSG5 VPN using Shrew client software + VPN _ SSG5 using the same Trust Zone

    Posted 02-07-2013 06:27

    Hi,

     

    If the source and destination is both in trust, shouldnt the policy for dialup vpn be between trust and trust. However, I doubt if VPN policy can be set between same zones.

    You can try route based VPN in this scenario. http://kb.juniper.net/KB15272

     

    Hope this helps.

     

    Regards.

    Hardeep

     

     



  • 3.  RE: SSG5 VPN using Shrew client software + VPN _ SSG5 using the same Trust Zone

    Posted 02-07-2013 07:01

    Hi,

    Thanks.. I already tried between trust-to-trust as you mentioned but it does not allow me to do it that way., not VPN dialup between same zone... I will look into the KB you linked, thanks again.

     

    Actually, I tried using the Untrust and Trust way and its working fine - VPN works perfectly but I needed it to be trust-to-trust in same zone instead.. this is where I am having the problem...



  • 4.  RE: SSG5 VPN using Shrew client software + VPN _ SSG5 using the same Trust Zone
    Best Answer

    Posted 02-07-2013 18:53

    untrust-trust dial-up VPN should work fine with oplicies.
    For trust-trust access I believe route based is  abetter solution as the VPN is bound to tunnel interface rather than policy.

    Hope it helps to fix the problem.

     

    Regards.
    Hardeep



  • 5.  RE: SSG5 VPN using Shrew client software + VPN _ SSG5 using the same Trust Zone

    Posted 02-09-2013 09:46

    Hi Sahota,

     

    Thank you so much for the tip, following your suggestion (by using a route based instead) and doing some digging on the article you appointed before:

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272

     

    I changed my configuration a bit based on this articule (for trust-to-trust instead of Untrust-Trust as mentioned) by creating a "tunnel.1" and deleting the policy "Dial-UP VPN" inerface and it worked like a charm!!!

    Now I have all in one zone inbound and outbound on "Trust"..

     

    Thanks so much!! i really appreciate it.



  • 6.  RE: SSG5 VPN using Shrew client software + VPN _ SSG5 using the same Trust Zone

    Posted 02-09-2013 22:01

    Hi,

     

    I am glad that the suggestion helped and thanks for marking it as accepted solution as others can benefit from it.

     

    Regards.

    Hardeep Sahota