Screen OS

Dear All,

  I would like to post a case in forum. I have to setup a Site-to-Site VPN configuration with MIP to internal private host. The other site mentioned that they cannot accept any private IP address ranges for external & internal networks (all IP address must be public IP address for external and internal network).

  Site-A is my site and Site-B is the other end. Each Site has 3 public IPs. I would like to setup a Site-to-Site VPN tunnel between VPN peer gateway (public IP). For server to server traffic, it must go thru via IPSec tunnel by translating with MIP(public IP) to internal private hosts.

  My scenarios is like below.

Site-A has following
============
Public IP for VPN Peer = 1.1.1.1

MIP to Local Server1 = mip 1.1.1.50 host 192.168.1.50

MIP to Local Server2 = mip 1.1.1.60 host 192.168.1.60

Site-B has following
============
Public IP for VPN Peer = 2.2.2.1

MIP to Local Server1 = mip 2.2.2.50 host 192.168.2.50

MIP to Local Server2 = mip 2.2.2.60 host 192.168.2.60

  Please let me know whether it is possible?

It is certainly possible.

You will need a route-based VPN for this situation.  That's somewhat unfortunate, because policy-based VPNs are significantly easier to set up with 3rd-party equipment on the other end of the tunnel.

That being said -- it's not really **that** difficult to do.  You just have to pay close attention to Proxy IDs with route-based VPNs otherwise your phase 2 SAs will fail to establish and you will have "banging face on desk syndrome."  Juniper firewalls are extremely tolerant (is this good or bad?) with phase 2 SAs and Proxy IDs -- most other vendors are not.  Once you get the VPN established and you have your tunnel.1 (or whatever) interface, then you will just set a route on your SSG for the destination public addresses (2.2.2.50, etc.) with tunnel.1 as your next-hop.  Your security policies must reference your internal MIP addresses.

Hi,

While route based is the best way to do this, there is a way to achieve this with policy based vpn as well.

http://kb.juniper.net/KB5346  

overlapping subnets with route based vpns (you can use this to refer the steps needed for setting MIP on tunnel interface)

http://kb.juniper.net/KB9924  

MIP on policy based vpn

Hope this helps.

Regards.

Hardeep

Dear All,

  Thank you all for the information. Please see the attached file for the configuration at my firewall. I couldn't get the SA up. Please help to point me whats I was wrong in my configuration.

  Thanks!

Rgds,

NL.

Hi,

Please confirm if the proxy-id matches with the other end.

event logs can give more clues for the failure, check if connection attempt has been made.

Thanks.

Hardeep

Dear Hardeep,

  Actually, I am simulating the scenario in my lab with 2 netscreen devices for the actual Production config.

  For Production config, the other ends asked me to connect their server's public IP address via IPSEC VPN (their VPN peer IP and Server IP are public IP under same subnet).  They also requested at our ends must be public IP for VPN peer and Server IP. So, each site won't be exposed private IP address to other site. 

  Hence, if for the Production, I can only able know their VPN peer gateway public IP and server's Public IP.

Rgds,

NL. 

Hi NL,

Sorry I was unable to understand if after the settings the VPN is still failing.

If you initiate traffic from your end are you able to see the event logs and check if VPN is getting initiated.

Thanks.

Hardeep

Dear Hardeep,

 I got the following IKE event log in my end:

No policy exist for proxy-id: local-ip 1.1.1.50/32 remote-ip 2.2.2.50/32.

Regards,

NL.

The route statement is incorrent you don't create a route that points to the tunnel for the peer IP.  The route needs to be the remote side of the proxy-id statement. So instead of:

set route 2.2.2.1/32 int tunnel.1

it should be:

set route 2.2.2.50/32 int tunnel.1

Dear Jcollazo,

  Thanks much for your suggestion, after changed the route, now tunnel is up and working fine. 🙂

Regards,

NL.