Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  route based site-to-site VPN

    Posted 09-08-2009 21:05

    I am wondering if following is possible

     

    Site 1

     

    Firewall1 (FW1):

    ETH0/0 - Connected to LAN (172.16.20.1/24) - Trust zone (NAT mode)

    ETH0/1 - Connected to Internet (public IP from pppoe) - Untrust zone (route mode)

     

    Site 2

     

    Firewall2 (FW2):

    ETH0/0 - Connected to LAN (172.16.30.1/24) - Trust zone (NAT mode)

    ETH0/1 - Connected to internet (public IP from pppoe) - Untrust zone (route mode)

     

    Now we know that a tunnel between FW1-ETH0/1 and FW2-ETH0/1 is possible. But we want to create a tunnel between FW1-ETH0/0 and FW2-ETH0/0.

     

    Is it possible? If it is possible then how we are going to acheive that and what changes we will need to make?

     

    Thanks


    #SSG20


  • 2.  RE: route based site-to-site VPN

    Posted 09-09-2009 06:28

    If I understand your setup right, you need to terminate the VPN on the Untrust interface in each case. This will provide a tunnel so that 172.16.20.0/24 and 172.16.30.0/24 can pass traffic to each other.

    As you are using private IPs on Eth0/0 in each case, it is not possible to terminate the VPNs here,as to route to the other site, the traffic neeeds to go over the internet.



  • 3.  RE: route based site-to-site VPN

    Posted 09-09-2009 16:52
    Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case


  • 4.  RE: route based site-to-site VPN

    Posted 09-09-2009 16:57

    Hi,

     

    I understand the issue correctly , you would like to bound the VPn to the trust interface so you need to change the following things:

     

    set interface tunnel.1 zone trust

    set interface tunnel.1 ip unnumbered interface ethernet0/0

     policy is not needed but an Intra-zone policy (Trust to Trust) can be used .

     

    The rest of the config would remain same.

     

    Thanks

    Atif



  • 5.  RE: route based site-to-site VPN

    Posted 09-09-2009 17:28

     

    "Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case "

    Hi Atif,

     

    The above comments were not for you. I know you have got my point and given me right suggestion.

     

    Cheers !



  • 6.  RE: route based site-to-site VPN
    Best Answer

    Posted 09-09-2009 17:36

    No problem dude.

     

     

    Atif

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 7.  RE: route based site-to-site VPN

    Posted 09-09-2009 19:20
    do we need add all both interfaces into same zone and route mode?


  • 8.  RE: route based site-to-site VPN

    Posted 09-09-2009 10:41

    If the tunnel interface is bound to the Trust zone and VPN traffic involves a user on the Trust zone, a policy is not needed but an Intra-zone policy (Trust to Trust) can be used.

     

    So just change the tunnel interface to the trust zone for example :

     

    set interface tunnel.1 zone trust

    set interface tunnel.1 ip unnumbered interface ethernet0/0

     

    The rest of the config would remain same.

     

    Thanks

    Atif



  • 9.  RE: route based site-to-site VPN

    Posted 09-09-2009 17:01

    I understand what you are saying. Do we need to change ETH0/0 from NAT mode to Route mode?

     

    Also, when you say Trust to Trust Policy that means tunnel.1 of FW1 to tunnel.1 of FW2.

     

    Regards

    RutledgeIT