ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

How to set up second VPN interface on the same UnTrust zone

[ Edited ]
09.25.12   |  
‎09-25-2012 06:04 AM

Hi All,

 

How can I setup second VPN connection on untrust zone which has already another VPN interface?
If yes, can I use the same untrust IP address(wich I got from my ISP) as the first VPN using for the second tunnel or should I provide different IP address?

For example I have: 192.92.99.1 (UnTrust IP address).
Should I define : 192.92.99.2?Or can I use the 192.92.99.1.

 

I'm using ScreenOS WebUI Version: 6.2.0r5.0 (Firewall+VPN) 

 

Thanks in advance,

 

14 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.25.12   |  
‎09-25-2012 06:29 AM

Hi if you set up the tunnel and use unnumbered it borrows the ip address of the interface the tunnel is bound for. You can find out about this on kb4492

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.25.12   |  
‎09-25-2012 06:34 AM

Also http://kb.juniper.net/InfoCenter/index?page=content&id=KB8533 might help you on setting up the other route-based vpn.

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.25.12   |  
‎09-25-2012 07:01 AM

Hi Stac,

 

Thanks a lot for quick response, I did as you suggested, since there is first VPN interface defined on Policy, do I have to change or add another policy rule? 

Any 192.168.0.0/24

 

 

Thanks in advance,

ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.25.12   |  
‎09-25-2012 07:16 AM

Can you share your config please?

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.25.12   |  
‎09-25-2012 07:37 AM

Stac sorry, since I'm relatively new to the VPN/FireWall stuff and here in forum, how is secure to post all the configuration, is there any certain part from config file that do you want to see?

ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.25.12   |  
‎09-25-2012 07:47 AM

You could edit out the public ip addresses and any company names from the config.

If you want to set up another vpn, then yes you need another policy from your internal network to the clients network as the described in the kb article.

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

[ Edited ]
09.25.12   |  
‎09-25-2012 08:05 AM

OK,thanks a lot for your assistance.I'll try to follow your instruction.

ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.25.12   |  
‎09-25-2012 09:34 AM

Hi Stac,

 

I got confused now, I have already Trust Zone define for the first VPN interface on plociy.

 

Trust ---> Untrust 


Any
192.168.0.0/24 ANY

 

Should I define additional policy for the same IP address: 192.168.0.0/24 ?

Is it makes sense?

 

Thanks,

ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.26.12   |  
‎09-26-2012 12:48 AM

Hi Vadella,

 

I think you are mixing up VPN's and interface, they are two different things.

Do you want to create another interface? Or do you want to create a second vpn?

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.27.12   |  
‎09-27-2012 05:50 AM

Hi Stac,

 

May be,I want to set up second VPN connection.

 

Thanks,

 

ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.27.12   |  
‎09-27-2012 06:12 AM

Where does the second vpn go to?

Did you set up a new network internally on your firewall for the new vpn?

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

[ Edited ]
09.27.12   |  
‎09-27-2012 06:36 AM

The second VPN should be to another external site.

I didn't set up network internally. I thought that I can use the same network which I have now for the first VPN.

ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.27.12   |  
‎09-27-2012 12:16 PM

Hi Vadella,

 

Yes you can use the same internal network with a hub and spoke vpn, you should consider your firewall as the hub.

You can read about it in the following document

http://kb.juniper.net/kb/documents/public/VPN/routebasedhubandspokevpn_rev_1_3.pdf

Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
ScreenOS Firewalls (NOT SRX)

Re: How to set up second VPN interface on the same UnTrust zone

09.27.12   |  
‎09-27-2012 07:16 PM

Stac, thank you a lot for assistance!I'll read about it.