Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.
Back to discussions
Expand all | Collapse all

How to set up second VPN interface on the same UnTrust zone

  • 1.  How to set up second VPN interface on the same UnTrust zone

    Posted 09-25-2012 06:05

    Hi All,

     

    How can I setup second VPN connection on untrust zone which has already another VPN interface?
    If yes, can I use the same untrust IP address(wich I got from my ISP) as the first VPN using for the second tunnel or should I provide different IP address?

    For example I have: 192.92.99.1 (UnTrust IP address).
    Should I define : 192.92.99.2?Or can I use the 192.92.99.1.

     

    I'm using ScreenOS WebUI Version: 6.2.0r5.0 (Firewall+VPN) 

     

    Thanks in advance,

     



  • 2.  RE: How to set up second VPN interface on the same UnTrust zone
    Best Answer

    Posted 09-25-2012 06:29

    Hi if you set up the tunnel and use unnumbered it borrows the ip address of the interface the tunnel is bound for. You can find out about this on kb4492



  • 3.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-25-2012 06:34

    Also http://kb.juniper.net/InfoCenter/index?page=content&id=KB8533 might help you on setting up the other route-based vpn.



  • 4.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-25-2012 07:02

    Hi Stac,

     

    Thanks a lot for quick response, I did as you suggested, since there is first VPN interface defined on Policy, do I have to change or add another policy rule? 

    Any 192.168.0.0/24

     

     

    Thanks in advance,



  • 5.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-25-2012 07:17

    Can you share your config please?



  • 6.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-25-2012 07:38

    Stac sorry, since I'm relatively new to the VPN/FireWall stuff and here in forum, how is secure to post all the configuration, is there any certain part from config file that do you want to see?



  • 7.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-25-2012 07:47

    You could edit out the public ip addresses and any company names from the config.

    If you want to set up another vpn, then yes you need another policy from your internal network to the clients network as the described in the kb article.



  • 8.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-25-2012 08:05

    OK,thanks a lot for your assistance.I'll try to follow your instruction.



  • 9.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-25-2012 09:34

    Hi Stac,

     

    I got confused now, I have already Trust Zone define for the first VPN interface on plociy.

     

    Trust ---> Untrust 


    Any    		 192.168.0.0/24 ANY

     

    Should I define additional policy for the same IP address: 192.168.0.0/24 ?

    Is it makes sense?

     

    Thanks,



  • 10.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-26-2012 00:48

    Hi Vadella,

     

    I think you are mixing up VPN's and interface, they are two different things.

    Do you want to create another interface? Or do you want to create a second vpn?



  • 11.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-27-2012 05:50

    Hi Stac,

     

    May be,I want to set up second VPN connection.

     

    Thanks,

     



  • 12.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-27-2012 06:12

    Where does the second vpn go to?

    Did you set up a new network internally on your firewall for the new vpn?



  • 13.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-27-2012 06:37

    The second VPN should be to another external site.

    I didn't set up network internally. I thought that I can use the same network which I have now for the first VPN.



  • 14.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-27-2012 12:16

    Hi Vadella,

     

    Yes you can use the same internal network with a hub and spoke vpn, you should consider your firewall as the hub.

    You can read about it in the following document

    http://kb.juniper.net/kb/documents/public/VPN/routebasedhubandspokevpn_rev_1_3.pdf



  • 15.  RE: How to set up second VPN interface on the same UnTrust zone

    Posted 09-27-2012 19:16

    Stac, thank you a lot for assistance!I'll read about it.