ScreenOS Firewalls (NOT SRX)
Reply
Visitor
pemnet
Posts: 6
Registered: ‎09-28-2010
0

Source route through VPN tunnel regardless of destination

ISG 1000 OS 6.1.  We have a LAN to LAN VPN tunnel already setup.  The existing production network gets to the public Internet and over the tunnel through the ISG without issue, as it should.  We need to force our newly created 192.168.14.0/24 and 192.168.24.0/24 subnets through the VPN tunnel regardless of destination; public Internet and all.  Existing production network will remain as it is.  I am posting this for another engineer on the team.

 

Thank you in advance for your assistance,

NaviNet IT Engineering

 

Trusted Contributor
rfrederick
Posts: 213
Registered: ‎07-14-2008
0

Re: Source route through VPN tunnel regardless of destination

I would put them into a different routing instance along with the external connection.  This would be the most secure way to do things.  The other way would be to add a source route for those subnets pointing to the tunnel, but if the goal is to truly segment the traffic, I would recommend the seperate VR.

 

Ron

Visitor
pemnet
Posts: 6
Registered: ‎09-28-2010
0

Re: Source route through VPN tunnel regardless of destination

I will pass this on to the engineer who is working on this.  I will return with the results.

Visitor
pemnet
Posts: 6
Registered: ‎09-28-2010
0

Re: Source route through VPN tunnel regardless of destination

We are a semi-new IT engineering team so the engineer that is now responsible for this device is asking for the CLI commands to do what you are suggesting.  We are learning these devices on the fly, not too fun right now.

 

Can you assist?

 

Trusted Contributor
rfrederick
Posts: 213
Registered: ‎07-14-2008
0

Re: Source route through VPN tunnel regardless of destination

well, the multiple VR config is a bit complex to try to detail without all of your interfaces / zones, but here is the source-routing one... set vrouter trust-vr source-routing enable set vrouter trust-vr route source 192.168.100.0/24 interface tunnel.1 set vrouter trust-vr route source 192.168.101.0/24 interface tunnel.2 Something along those lines (with networks, interfaces, vr name etc. changed to fit your network). Ron
Visitor
pemnet
Posts: 6
Registered: ‎09-28-2010
0

Re: Source route through VPN tunnel regardless of destination

You are correct, it is a little complex.  I've been trying to get up to speed on this and three weeks since I started here is certainly not enough time.  I know we want it to go over the pre-existing and functioning VPN tunnel.2 so will this work?

 

set vrouter trust-vr source-routing enable

set vrouter trust-vr route source 192.168.14.0/24 interface tunnel.2

set vrouter trust-vr route source 192.168.24.0/24 interface tunnel.2

save

 

I'm hoping that this will FORCE ALL traffic regardless of its destination to use the VPN tunnel.2.

 

Thank you again for your assistance.

Trusted Contributor
rfrederick
Posts: 213
Registered: ‎07-14-2008
0

Re: Source route through VPN tunnel regardless of destination

That looks good to me.

 

Ron

Distinguished Expert
spuluka
Posts: 2,704
Registered: ‎03-30-2009
0

Re: Source route through VPN tunnel regardless of destination

 


pemnet wrote:

 

I'm hoping that this will FORCE ALL traffic regardless of its destination to use the VPN tunnel.2.

 

Thank you again for your assistance.


Yes, this is exactly how source routing works.  Which means even the connect destinations are sent down the tunnel.  So this will only work for you if these two subnets do NOT communicate with each other.  If they do, you will need to configure Policy Based Routing (PBR).  Which is somewhat more complicated.

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
pemnet
Posts: 6
Registered: ‎09-28-2010
0

Re: Source route through VPN tunnel regardless of destination

Excellent, thank you gents.  I will report back with the end result.

 

Much appreciated.

Visitor
pemnet
Posts: 6
Registered: ‎09-28-2010
0

Re: Source route through VPN tunnel regardless of destination

Your suggestions worked.  We also had to move a rule above another rule as well and that was it.  A few route changes and we were good to go.

 

Thank you both very much for your assistance.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.