ScreenOS Firewalls (NOT SRX)
Reply
Contributor
rutledgeIT
Posts: 26
Registered: ‎07-23-2009
0
Accepted Solution

route based site-to-site VPN

I am wondering if following is possible

 

Site 1

 

Firewall1 (FW1):

ETH0/0 - Connected to LAN (172.16.20.1/24) - Trust zone (NAT mode)

ETH0/1 - Connected to Internet (public IP from pppoe) - Untrust zone (route mode)

 

Site 2

 

Firewall2 (FW2):

ETH0/0 - Connected to LAN (172.16.30.1/24) - Trust zone (NAT mode)

ETH0/1 - Connected to internet (public IP from pppoe) - Untrust zone (route mode)

 

Now we know that a tunnel between FW1-ETH0/1 and FW2-ETH0/1 is possible. But we want to create a tunnel between FW1-ETH0/0 and FW2-ETH0/0.

 

Is it possible? If it is possible then how we are going to acheive that and what changes we will need to make?

 

Thanks

Super Contributor
srigelsford
Posts: 203
Registered: ‎04-14-2008
0

Re: route based site-to-site VPN

If I understand your setup right, you need to terminate the VPN on the Untrust interface in each case. This will provide a tunnel so that 172.16.20.0/24 and 172.16.30.0/24 can pass traffic to each other.

As you are using private IPs on Eth0/0 in each case, it is not possible to terminate the VPNs here,as to route to the other site, the traffic neeeds to go over the internet.

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: route based site-to-site VPN

If the tunnel interface is bound to the Trust zone and VPN traffic involves a user on the Trust zone, a policy is not needed but an Intra-zone policy (Trust to Trust) can be used.

 

So just change the tunnel interface to the trust zone for example :

 

set interface tunnel.1 zone trust

set interface tunnel.1 ip unnumbered interface ethernet0/0

 

The rest of the config would remain same.

 

Thanks

Atif

Contributor
rutledgeIT
Posts: 26
Registered: ‎07-23-2009
0

Re: route based site-to-site VPN

Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case
Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: route based site-to-site VPN

Hi,

 

I understand the issue correctly , you would like to bound the VPn to the trust interface so you need to change the following things:

 

set interface tunnel.1 zone trust

set interface tunnel.1 ip unnumbered interface ethernet0/0

 policy is not needed but an Intra-zone policy (Trust to Trust) can be used .

 

The rest of the config would remain same.

 

Thanks

Atif

Contributor
rutledgeIT
Posts: 26
Registered: ‎07-23-2009
0

Re: route based site-to-site VPN

I understand what you are saying. Do we need to change ETH0/0 from NAT mode to Route mode?

 

Also, when you say Trust to Trust Policy that means tunnel.1 of FW1 to tunnel.1 of FW2.

 

Regards

RutledgeIT

Contributor
rutledgeIT
Posts: 26
Registered: ‎07-23-2009
0

Re: route based site-to-site VPN

 

"Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case "

Hi Atif,

 

The above comments were not for you. I know you have got my point and given me right suggestion.

 

Cheers !

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: route based site-to-site VPN

No problem dude.

 

 

Atif

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Contributor
rutledgeIT
Posts: 26
Registered: ‎07-23-2009
0

Re: route based site-to-site VPN

do we need add all both interfaces into same zone and route mode?
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.