SRX Services Gateway
SRX Services Gateway

VPN Site-to-Site with multiple subnets

‎01-09-2019 11:25 PM

Hi All,

 

We are connecting to our remote office via a site-to-site VPN tunnel.

It is working properly without any problem.

 

Right now, local office want to acess another subnets on the remote office.

I configured the setting by using Proxy identity.

 

existing VPN

192.168.96.0/20  (NS)  ----VPN----  (SRX)  192.168.0.0/20

New 

192.168.96.0/20  (NS)  ----VPN----  (SRX)   172.16.24.128/25

 

However, after applied the new setting, only one VPN can be up each time.

Could someone let me know how to make both up?

 

Cheers,

Kay

14 REPLIES 14
SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-09-2019 11:28 PM

You can use traffic-selector to configure multiple subnets. Please refer the belowmentioned KB for more details:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-09-2019 11:34 PM

Hi Nellikka,

 

In this KB, I found the following setting.

traffic-selector t1 {
local-ip 10.1.0.0/16;
remote-ip 192.168.1.0/24;
}
traffic-selector t2 {
local-ip 10.2.0.0/16;
remote-ip 192.168.2.0/24;
}

Is it worked if I add below setting?

traffic-selector t3 {
local-ip 10.2.0.0/16;
remote-ip 192.168.1.0/24;
}

 

Thanks,

Kay

SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-09-2019 11:47 PM

Hi Kay,

 

Please share the SRX side VPN config for clarity. You have configured the mentioned Proxy-IDs (2 nos) on the Netscreen side correct?

 

Regards,

 

Vikas

SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-09-2019 11:48 PM

It should work, and you can add multiple traffic selectors. But ensure that same mirror traffic selectors /proxy ids should be configured at remote side.

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-10-2019 12:11 AM

Hi all,

 

Only SRX is enabled proxy ID.

NS is using policy based VPN without enable proxy ID.

 

Regards,

Kay

SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-10-2019 12:18 AM

Hi All,

 

This is the SRX setting

 

set security ipsec vpn LCY-HKG-Tu0 bind-interface st0.0
set security ipsec vpn LCY-HKG-Tu0 ike gateway LCY-HKG-P1
set security ipsec vpn LCY-HKG-Tu0 ike proxy-identity local 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 ike proxy-identity remote 192.168.96.0/20
set security ipsec vpn LCY-HKG-Tu0 ike ipsec-policy LCY-HKG-P2
set security ipsec vpn LCY-HKG-Tu0 establish-tunnels immediately

 

set security ipsec vpn LCY-HKG-Tu1 bind-interface st0.1
set security ipsec vpn LCY-HKG-Tu1 ike gateway LCY-HKG-P1
set security ipsec vpn LCY-HKG-Tu1 ike proxy-identity local 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu1 ike proxy-identity remote 10.0.0.0/24
set security ipsec vpn LCY-HKG-Tu1 ike proxy-identity service any
set security ipsec vpn LCY-HKG-Tu1 ike ipsec-policy LCY-HKG-P2
set security ipsec vpn LCY-HKG-Tu1 establish-tunnels immediately

 

set security ipsec vpn LCY-HKG-Tu2 bind-interface st0.2
set security ipsec vpn LCY-HKG-Tu2 ike gateway LCY-HKG-P1
set security ipsec vpn LCY-HKG-Tu2 ike proxy-identity local 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu2 ike proxy-identity remote 172.16.0.0/24
set security ipsec vpn LCY-HKG-Tu2 ike proxy-identity service any
set security ipsec vpn LCY-HKG-Tu2 ike ipsec-policy LCY-HKG-P2
set security ipsec vpn LCY-HKG-Tu2 establish-tunnels immediately

 

set security ipsec vpn LCY-HKG-Tu3 bind-interface st0.3
set security ipsec vpn LCY-HKG-Tu3 ike gateway LCY-HKG-P1
set security ipsec vpn LCY-HKG-Tu3 ike proxy-identity local 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu3 ike proxy-identity remote 172.18.0.0/24
set security ipsec vpn LCY-HKG-Tu3 ike proxy-identity service any
set security ipsec vpn LCY-HKG-Tu3 ike ipsec-policy LCY-HKG-P2
set security ipsec vpn LCY-HKG-Tu3 establish-tunnels immediately

 

set security ipsec vpn LCY-HKG-Tu4 bind-interface st0.4
set security ipsec vpn LCY-HKG-Tu4 ike gateway LCY-HKG-P1
set security ipsec vpn LCY-HKG-Tu4 ike proxy-identity local 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu4 ike proxy-identity remote 172.19.0.0/24
set security ipsec vpn LCY-HKG-Tu4 ike proxy-identity service any
set security ipsec vpn LCY-HKG-Tu4 ike ipsec-policy LCY-HKG-P2
set security ipsec vpn LCY-HKG-Tu4 establish-tunnels immediately

 

set security ipsec vpn LCY-HKG-Tu5 bind-interface st0.5
set security ipsec vpn LCY-HKG-Tu5 ike gateway LCY-HKG-P1
set security ipsec vpn LCY-HKG-Tu5 ike proxy-identity local 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu5 ike proxy-identity remote 192.168.121.0/24
set security ipsec vpn LCY-HKG-Tu5 ike proxy-identity service any
set security ipsec vpn LCY-HKG-Tu5 ike ipsec-policy LCY-HKG-P2
set security ipsec vpn LCY-HKG-Tu5 establish-tunnels immediately

 

set security ipsec vpn LCY-HKG-Tu6 bind-interface st0.6
set security ipsec vpn LCY-HKG-Tu6 ike gateway LCY-HKG-P1
set security ipsec vpn LCY-HKG-Tu6 ike proxy-identity local 172.16.24.128/25
set security ipsec vpn LCY-HKG-Tu6 ike proxy-identity remote 192.168.96.0/20
set security ipsec vpn LCY-HKG-Tu6 ike proxy-identity service any
set security ipsec vpn LCY-HKG-Tu6 ike ipsec-policy LCY-HKG-P2

 

set routing-options static route 192.168.96.0/20 next-hop st0.0
set routing-options static route 10.0.0.0/24 next-hop st0.1
set routing-options static route 172.16.0.0/24 next-hop st0.2
set routing-options static route 172.18.0.0/24 next-hop st0.3
set routing-options static route 172.19.0.0/24 next-hop st0.4
set routing-options static route 192.168.121.0/24 next-hop st0.5

SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-10-2019 12:21 AM
Hi Kay,

If you are using Proxy ID on the SRX add another proxy ID for the new destination. I think you have already done this.

On the netscreen side you would need two policies associated with the same VPN. Since proxy ID is automatically picked up from the policy, Source, destination address, application mentioned in the policy should match the proxy id on the srx side.

Best Regards,

Vikas
SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-10-2019 12:34 AM

If i don't use proxy ID on SRX and use the following setting.

Do I need to make changes on Netscreen?

 

 

set security ipsec vpn LCY-HKG-Tu0 bind-interface st0.0
set security ipsec vpn LCY-HKG-Tu0 ike gateway LCY-HKG-P1
set security ipsec vpn LCY-HKG-Tu0 ike ipsec-policy LCY-HKG-P2
set security ipsec vpn LCY-HKG-Tu0 establish-tunnels immediately

 

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t0 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t0 remote-ip 192.168.96.0/20

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t1 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t1 remote-ip 10.0.0.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t2 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t2 remote-ip 172.16.0.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t3 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t3 remote-ip 172.18.0.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t4 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t4 remote-ip 172.19.0.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t5 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t5 remote-ip 192.168.121.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t6 local-ip 172.16.24.128/25
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t6 remote-ip 192.168.96.0/20

 

SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-10-2019 01:09 AM

Yes, you have to make changes on Netscreen to include additional subnets you added in SRX.

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-10-2019 01:17 AM

Hi Nellikka,

 

Those subnets are already in Netscreen policies (Tunnel Mode).

Any other changes on Netscreen?

 

Thanks,

Kay

SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-10-2019 01:31 AM

Still not working? Could you share "show security ipsec security-associations vpn-name LCY-HKG-Tu0 detail" .Hope this is the only vpn configured for the remote and removed others like LCY-HKG-Tu1,2,3 etc

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

‎01-10-2019 10:14 PM

When I applied the config, the error logs attached come out.

Attachments

SRX Services Gateway
Solution
Accepted by topic author KayNAHC
‎01-15-2019 05:31 PM

Re: VPN Site-to-Site with multiple subnets

‎01-11-2019 01:03 AM

Please apply below mentioned config and let us know status:

 

delete routing-options static route 192.168.96.0/20 next-hop st0.0
delete routing-options static route 10.0.0.0/24 next-hop st0.1
delete routing-options static route 172.16.0.0/24 next-hop st0.2
delete routing-options static route 172.18.0.0/24 next-hop st0.3
delete routing-options static route 172.19.0.0/24 next-hop st0.4
delete routing-options static route 192.168.121.0/24 next-hop st0.5

delete security ipsec vpn LCY-HKG-Tu0 ike proxy-identity

delete security ipsec vpn LCY-HKG-Tu1
delete security ipsec vpn LCY-HKG-Tu2
delete security ipsec vpn LCY-HKG-Tu3
delete security ipsec vpn LCY-HKG-Tu4
delete security ipsec vpn LCY-HKG-Tu5
delete security ipsec vpn LCY-HKG-Tu6

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t0 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t0 remote-ip 192.168.96.0/20

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t1 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t1 remote-ip 10.0.0.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t2 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t2 remote-ip 172.16.0.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t3 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t3 remote-ip 172.18.0.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t4 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t4 remote-ip 172.19.0.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t5 local-ip 192.168.0.0/20
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t5 remote-ip 192.168.121.0/24

set security ipsec vpn LCY-HKG-Tu0 traffic-selector t6 local-ip 172.16.24.128/25
set security ipsec vpn LCY-HKG-Tu0 traffic-selector t6 remote-ip 192.168.96.0/20

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VPN Site-to-Site with multiple subnets

[ Edited ]
‎01-15-2019 05:31 PM

Hi Nellikka,

 

It works. Thanks for your advice and solution.

 

Regards,

Kay