ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Policy Based VPN

12.05.07   |  
‎12-05-2007 03:37 AM
Dear All,
i used to configure policy based vpn from long time ago without any problems, i'm confused here that these days its not working unless i enable RIP on the trust interface !! which i do remember (or maybe i'm wrong)that i dont need to enable it !! anyone can help me please.. should the policy based VPN work without enabling RIP on the trust zone.. !!!
Tariq Morad
5 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Policy Based VPN

12.05.07   |  
‎12-05-2007 02:38 PM
RIP is most definitely NOT required for policy-based VPNs. What error are you seeing in event log? Can you post relevant configs? In particular, IKE, VPN and tunnel policy configs.
ScreenOS Firewalls (NOT SRX)

Re: Policy Based VPN

12.05.07   |  
‎12-05-2007 11:37 PM
for your Trust and Untrust interfaces, you are using NAT or ROUTE?
ScreenOS Firewalls (NOT SRX)

Re: Policy Based VPN

12.06.07   |  
‎12-06-2007 02:23 AM
thank you rkim and chintag for taking care of this issue, well.. here is the configuration for the hub and spoke1.. spoke2 is the same is spoke1 so i didnt send it.

the VPN is Active and UP on hun when i'm using RIP without enabling it on the trust interfaces, but its active and down on both spokes.

i used static routes and worked fine, but i need to use RIP. the configuration is with static, if you want me to configure it as RIP and send it i will. thanks a lot.
Tariq Morad

Attachments

ScreenOS Firewalls (NOT SRX)

Re: Policy Based VPN

12.06.07   |  
‎12-06-2007 10:43 AM
VPN shows active/down because VPN monitor is failing unless a route exists for the hub network. Out of curiosity, why are you using policy-based VPN for this? When using a dynamic routing protocol across VPNs, a route-based VPN is recommended. From the looks of your configs, I see no reason why you cannot use route-based. Due to the nature of RIP broadcasts or RIP/OSPF multicast, I don't recall either of these protocols work properly across policy-based VPNs.
 
My recommendation is change this to a route-based VPN and apply RIP on the tunnel interfaces.
ScreenOS Firewalls (NOT SRX)

Re: Policy Based VPN

12.08.07   |  
‎12-08-2007 11:05 PM
thank you so much for the great info, your efforts are appreciated.
Tariq Morad