Screen OS

Hello guys,

I have a strange problem with a VPN configuration.

I have a SITEA with a SSG5 wiht an one interface ip (bgroup0) 10.20.130.5 and the default gateway is 10.10.130.252. The ssg5 is able to reach the network 192.168.1.0/24 using the default gateway. So there is an unique interface up. 

I have also a remote SITEB with the address 192.168.2.0/24 and also a juniper that I can not manage.

I created a VPN between the SITEB to SITEA and the only allowed traffic is from SITEB to SITEA. 

The strange problem is that I can ping from 192.168.2.0/24 the network 192.168.1.0 but no others services are working.

I configured the VPN in the SSG5 as a route-based mode and I create a tunnel.1 ( Unnumbered interface bgroup0), I update the routing table adding : 192.168.2.0/24 gateway tunnel.1; I create a Auto-IKE with outgoing interface bgroup0 using a Proxy-id:

Source Network: 192.168.1.0 /24 Destination Network: 192.168.2.0/24 Service Any.

In the end I  create a policy to permit the traffic from SITEB to SITEA. any service

So the VPN is UP but if I check the log of the policy, I see that all traffic is in close age out.

To be able to have a VPN up I disabled also the Anti Spoofing in the zone of the tunnel.1 because I saw a lot of errors about that.

Could you help me to find out a solution?

Thank you for the help.

Pazzeo 

I'm having a little trouble visualizing your topology.  But I think I see the picture.  I think you don't have matching zone policies on the two sites.  For the traffic to work you will need one allow policy on each firewall.

I assume that on SiteA bgroup0 and your LAN subnet 192.168.1.0/24 are in different zones.  Since your VPN terminates in bgroup0 this serves as the zone for the remote site B.

Site A policy

When you created the policy to allow all services from B to A on the site A SSG your created a rule from bgroup0 zone to LAN segment zone.

Site B policy

The partner site would do the opposite.  They create the policy from the LAN zone to the zone with the VPN interface.

I think that the policy is correct, to be sure I post below the configuration of juniper ssg5. As you can see I'm using a single interface bgroup0.

I edit the public remote ip with x.x.x.x to be sure. 

set clock timezone 1
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nIi8FArbM9TEck2G7s3JzoBttnMVJn"
set admin user "admin" password "nEWcOIrCMSXLcEiNGsvOvPKtf0MVGn" privilege "all"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 101 "SITEB"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
unset zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
unset zone "CTRL" tcp-rst 
unset zone "SITEB" tcp-rst 
unset zone "Extra Network 1" tcp-rst 
unset zone "Extra Network 2" tcp-rst 
set zone "Untrust" screen on-tunnel
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "bgroup0" zone "SITEB"
set interface "bgroup1" zone "MGT"
set interface "bgroup2" zone "Null"
set interface "bgroup3" zone "Null"
set interface "tunnel.1" zone "Untrust"
set interface bgroup0 port ethernet0/1
set interface bgroup1 port ethernet0/2
set interface bgroup2 port ethernet0/3
set interface bgroup3 port ethernet0/4
unset interface vlan1 ip
set interface bgroup0 ip 10.20.130.5/24
set interface bgroup0 route
set interface tunnel.1 ip unnumbered interface bgroup0
set interface tunnel.1 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface bgroup2 ip manageable
set interface bgroup3 ip manageable
set interface ethernet0/0 manage ping
set interface bgroup0 manage ping
set interface bgroup0 manage ssh
set interface bgroup0 manage telnet
set interface bgroup0 manage snmp
set interface bgroup0 manage ssl
set interface bgroup0 manage web
set interface bgroup0 manage mtrace
set interface bgroup1 manage mtrace
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname ssg5-customer
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Untrust" "Lan SITEB" 192.168.2.0 255.255.255.0
set address "SITEA" "Lan SITEA" 192.168.1.0 255.255.255.0
set ike gateway "GW To SITEB" address x.x.x.x Main outgoing-interface "bgroup0" preshare "IS50xxvCxAwNmDs0t8CNeUexnrncs5x64DHXbMZRRITyG8tWgXJPCc8=" proposal "pre-g2-aes128-sha"
unset ike respond-bad-spi
set ike soft-lifetime-buffer 45
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN SITEB" gateway "GW To SITEB" no-replay tunnel idletime 0 proposal "nopfs-esp-aes128-sha" 
set vpn "VPN SITEB" monitor
set vpn "VPN SITEB" id 0x10 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set vpn "VPN SITEB" proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.2.0/24 "ANY" 
set policy id 1 from "Untrust" to "SITEA"  "Lan SITEB" "Lan SITEA" "ANY" permit log 
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface bgroup0 gateway 10.20.130.254 permanent
set route 192.168.2.0/24 interface tunnel.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 The "Lan SITEB" is reachebale using the same interface used to create the VPN maybe I do a wrong configuration.

Thank you very much

Pazzeo

I think your zone assignment is wrong for the address object and the policy.

Your interface is set to zone "SITEB"

set interface "bgroup0" zone "SITEB"

Your address object is for "untrust" zone.  This should be "SITEB"

set address "Untrust" "Lan SITEB" 192.168.2.0 255.255.255.0

Your policy also uses "untrust" instead of "SITEB"

set policy id 1 from "Untrust" to "SITEA"  "Lan SITEB" "Lan SITEA" "ANY" permit log

If you change the zone for the address object and policy this should work then.

I corrected the policy but I have a strange behaivour.  The VPN is up. 

I try to ping from SITEA to SITEB and I see the answers, but if I go to the juniper in SITEB in the log of policy I see all icmp traffic in close age out. I try also to do a debug flow basic but in the db stream there is no packets. 

Could the problem be that I'm using one unique interface?

Thank you

Matteo 

I solved the problem, because I'm using a single interface I had to setup in the policy the source nat with the current ip of the interface. Now it works properly.

Regards

Pazzeo

can you send me the screen capture  SSG 5 Web GUI what you are talking about with setup in the policy the source nat with the current IP of the interface

Thanks