01-13-2010 12:19 AM
Is is it possibly to route all traffic via vpn(route based) from branch to Central an then without a proxy to the Internet.
On a Cisco ASA its not possibly ,,, any issue here on Juniper?
Solved! Go to Solution.
01-13-2010 01:02 AM
I can't see any issue with this setup. The Central will have (minumum) three interfaces:
- Clear interface to Internet (int A)
- Tunnel interface to Branch (int B)
- LAN interface (Int C)
The routing table in Central can have a default route (0.0.0.0/0) via Int A and a branch route via Int B. Both routes could be in the same virtual router
The Branch will also have three interfaces:
- Clear interface to Internet (Int A)
- Tunnel interface to Central (int B)
- LAN interface (int C)
In this case you'll have two default routes (0.0.0.0/0). A "public default route" via Int A and a "privade default route" via int B. You just have to put these routes in different Virtual Routers:
Public virtual router with:
* Int A +
* Public default route and
Private virtual router with:
* Int B +
* Int C and
* Private default route
01-13-2010 02:18 AM
This is no new installation...
Branch Office makes a VPN to Central, and local Internet outbreak.
Now IP Adress changed and all Taffic is Routed via VPN to Central.
Now i only have to make a policy in the Central Firewall that allows traffic vom the branch subnet to the Internet.
01-13-2010 08:13 AM
To me it looks as easy as you say it. But I still think you'll have to build two Virtual Routers in the Branch because, otherwise .. how is the Branch Firewall going to know you want to send Internet traffic through the VPN and not directly?
01-14-2010 06:18 AM
mhhhh, you think a router 0.0.0.0/0 interface tunnel.1 is not possible? or a second default route with a worse metric...?
Maybe a policy based VPN Tunnel is the better way..
01-18-2010 01:22 AM
another problem, traffic is going from branch to central side... but when the traffic should go then to the internet it does not work...
here a deb flow basic from central side:
**** pak processing end.
****** packet decapsulated, type=ipsec, len=128******
ipid = 36050(8cd2), @03831010
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.1.1->184.108.40.206) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 26 for 220.127.116.11
[ Dest] 26.route 18.104.22.168->10.144.60.254, to ethernet0/0
routed (x_dst_ip 22.214.171.124) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/0
hub-and-spoke packet, need loopback
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 126.96.36.199, port 29813, proto 1)
policy_flow_search in tunnel pak_ptr policy: id: 22, from zone 1 -> 2
No policy matched for tunnel traffic, logging for:
VPN policy= 22: szone 1 dzone 2 pid 22 ports 8007475 iphdr 3831010
log this session (pid=22)
**** pak processing end.
how to make a rule in central???