ScreenOS Firewalls (NOT SRX)
Reply
Visitor
neal_leslie1970
Posts: 4
Registered: ‎05-20-2011
0
Accepted Solution

policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

I followed the instructions at http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7166 on creating a lan to lan vpn tunnel between my sonicwall ns 240 and my juniper.  The tunnel shows up on both ends.   However, on the sonicwall side i can ping through to the juniper but nothing else on the juniper network.  From the juniper side, i can't ping anything or get to anything on the sonicwall side.  

 

On both the sonicwall and the juniper the tunnels show as up.  On the juniper it shows active and link as up.   The command get sa shows the status as a/u. 

 

I realize the instructions above are for a juniper with a slightly different os version but i followed them as best i could. 

 

Does anyone have any ideas?  or troubleshooting steps i would take?

Distinguished Expert
spuluka
Posts: 2,553
Registered: ‎03-30-2009
0

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

I have about 50 Sonicwall to SSG tunnels running fine.  So they do work together.  From the sound of the symptoms there is probably something wrong with the policies on one or both sides. Here are a few thoughts.

 

I notice the instructions tell you to use the all local subnets object in the sonicwall addresses.  This can create multiple local network objects for the tunnel.  You probably want to use the lan primary subnet object as a single address.  Be sure not to pick the lan primary IP which is just the interface address.

 

I also notice they have explict proxy id configured on the sonicwall policy.  I never use those  and just leave it blank.

 

On the SSG side confirm the address objects have the correct networks and in the right zones.

 

Here is the troubleshooting tree for a VPN that comes up and does not pass traffic.  You are using a policy VPN in the tech note you list.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB9276

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
neal_leslie1970
Posts: 4
Registered: ‎05-20-2011
0

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

I assume you mean the Peer IKE ID?  i don't see proxy id on the sonicwall?     

 

I'm not sure what you mean when you say  i should use the " lan primary subnet object as a single address?"   The only choices i see are lan subnets and the lan interface ip.     Should i create a new address object?

Distinguished Expert
spuluka
Posts: 2,553
Registered: ‎03-30-2009
0

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

Sorry about that, yes I meant peer not proxy.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
neal_leslie1970
Posts: 4
Registered: ‎05-20-2011
0

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

what about " lan primary subnet object as a single address"?   i don't quite understand what you mean since by definition a subnet is a range of ip addresses and not a single address?

Distinguished Expert
spuluka
Posts: 2,553
Registered: ‎03-30-2009
0

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

Sonicwall enhanced OS uses address objects (single address notation) and address groups (contain multiple address objects.

 

LAN primary subnet is an address object that is automatically set to the address range assigned to the LAN.

 

LAN Subnets is a group that automatically has LAN primary subnet and any other locally configured LANs on the firewall.  So this may or may not be just the single address assigned to the primary LAN.  If there are multiple addresses in this group you will get multiple proxy-id pairs on the Sonicwall side but only the single pair presented on the SSG side.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
neal_leslie1970
Posts: 4
Registered: ‎05-20-2011
0

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

OK.  i understand what you're saying.   However, there is no lan primary subnet as an address object.  I only have one subnet in the office anyhow.  

 

Actually i was able to get the vpn to work by moving the vpn policy on my ssg to the top and now everything looks good. 

 

thanks for your help!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.