ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Multiple VPNs ( to Azure)

‎06-18-2018 10:05 AM

Hello,

We have existing site-to-site IPsec tunnel from our on-prem gateway (Juniper SSG320) to Azure cloud gateway, it is a policy-based VPN.

 

We would like to create a new VPN tunnel, this time a route-based VPN,  while keeping the existing tunnel. So the new tunnel is for development environment, it will be from the same existing on-prem gateway (Juniper SSG 320)  to the new gateway and virtual network in Azure. Anyone knows if this is doable or if this Juniper supports multiple VPNs, for this one it will be a two VPNs (one is policy-based, other is route-based)? Will I need a new external IP address? The two tunnels wouldn't need to talk with each other.

 

Thanks,

Hubble

 

7 REPLIES 7
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Multiple VPNs ( to Azure)

‎06-18-2018 10:14 AM

You can do this, as long as the internal IP addresses are different.  Reason being is that the internal IPs would only flow along the route based tunnel.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Multiple VPNs ( to Azure)

‎06-18-2018 11:55 AM

Thanks.  

Our existing VPN tunnel is between our on-prem Juniper VPN and Microsoft Azure gateway, but the physical connection is below:

 

Juniper (VPN gateway) interface connected to edge router and edge router to the internet (Azure cloud VPN gateway). In Azure side we will need to create a new virtual network and a new gateway (with new IP address) so do I need a new Juniper's interface with new IP address for the new tunnel? Sorry, I'm new to this. 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Multiple VPNs ( to Azure)

‎06-18-2018 07:19 PM

Hi,

 

1: Please make sure your private IPs/subnets for both the VPN (Azure side) are different.

2: It's not mandatory to have new interface with public IP on the SSG. You can use any IP/Interface which has reachablity to the Azure cloud.

3: Configure your static route pointing to the tunnel interface. Once again, as I mentioned try not to have overlapping subnets in the policy and route based VPNs.

4: KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB14330&actp=METADATA for route based VPN on SSG.

 

Thanks,

Vikas

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Multiple VPNs ( to Azure)

‎06-19-2018 04:47 AM

Thank you Vikas, 

Sorry just to clarify this - "2: It's not mandatory to have new interface with public IP on the SSG. You can use any IP/Interface which has reachablity to the Azure cloud."

Does this mean I can use the same SSG tunnel interface and ip-address for both the existing VPN tunnel (policy-based) and new VPN tunnel (route-based) ? Sorry, in my mind it won't work but I'm probably wrong. 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Multiple VPNs ( to Azure)

‎06-19-2018 08:58 AM

Hi,

 

I doubt that you would be using any tunnel interface in policy based VPN, if yes then use another tunnel interface in route based VPN. You can use same tunnel interface but btter to use another one.

 

It's very common scenario where one VPN device can use same IP/interface to form VPN with multiple different IPs/Gatways/VPN peers.

 

Please let me know why do you think it will not work and will see if that can cause issue.

 

Thanks,

Vikas

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Multiple VPNs ( to Azure)

‎06-19-2018 09:49 AM

Thanks Vikas.

I thought it might not work as one VPN (existing) is policy-based (static) and the other VPN (new) is a route-based (dynamic). For some reason I am thinking there will be a conflict there or both VPNs have to be dynamic or route based. 

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Multiple VPNs ( to Azure)

‎06-19-2018 10:29 AM

You can have one route based and the other policy based.  Which VPN to use is determined by a route lookup.  When traffic is initiated for the route based VPN, the route will point the traffic to a tunnel interface.  When traffic is initiated for the policy based VPN, the route will direct the traffic out a regular (usually untrust) interface, then the zone to zone policy will put the traffic into the corresponding tunnel.

Feedback