Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Using IPSec from different zone / NAT

    Posted 03-03-2015 04:24

    Hello,

     

    i have a SSG140 with latest Juniper ScreenOS

     

    I have eth0/8 with 10.127.0.0/24 (ZONE Trust)

    eth0/2 with 192.168.3.0/24 (ZONE wlan)

     

    i have a Ipsec tunnel - Tunneled Traffic / Security Association is 10.127.0.1/24 -

    i can access the network 85.28.211.12 (which is one from the IPsec tunneled network) from the 10.127.0.2 fine for example.

     

    Now..i need to make it possible, to access the IPsec tunneled network FROM the WLAN zone (so from an device with IP 192.168.3.0/24 )

     

    how can i do this??



  • 2.  RE: Using IPSec from different zone / NAT
    Best Answer

    Posted 03-03-2015 10:11

    Do you need to translate the IP addresses before they go into the tunnel?  If so, you could use a MIP or DIP to translate (if you need 1-to-1 or many-to-one/many)

     

    Other than that, you would need a policy from wlan to trust to permit the traffic.  You will also need a route on the other gateway that would route the return traffic back into the tunnel.  If you are using NAT, then you would not need to do this.



  • 3.  RE: Using IPSec from different zone / NAT

    Posted 03-13-2015 03:22

    The IPsec config for the tunnel does not include the network (wlan) so.. i need to translate it... i would prefer NAT.. could you tell me where i shall enable DIP? on the tunnel device ? or where?



  • 4.  RE: Using IPSec from different zone / NAT

    Posted 03-13-2015 06:13

    Hi ,

     

        Enable DIP on your tunnel interface since you need tunneled traffic to get NAT-ed