Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Route-based vpn query

    Posted 12-02-2008 02:28

    I have an issue with configuring route-based VPN between SSG-140 (serial interface as outgoing int) and cisco 3845. The problem is although VPN comes up successfully but it is seen that with in 10 mins after VPN establishment , the physical interface (serial int) goes down, and the trafic follows  dial-backup.

     

    Kindly let me know your views as i m at my customer site for resolving this issue.

     

    thanks in advance.

     

    regards,



  • 2.  RE: Route-based vpn query

    Posted 12-02-2008 02:52

    Hi Muhammad,

     

    If the physical interface goes down, then the problem is not related to the VPN configuration.

     

    You can best start by checking the physical serial connection, cables, modem, let ISP check the line, etc.

     

    Thanks,

    Casper

     



  • 3.  RE: Route-based vpn query

    Posted 12-08-2008 08:42
    here is how to do a route-based VPN using the web interface between two Netscreens(Sorry I don't know much about Cisco in this case):

    Setup:

    Firewall A -> Internet -> Firewall B

    Log into Firewall A through the web interface
    Configure tunnel interface
    Click Network -> Interfaces
    Make sure the dropdown in the top left says Tunnel IF, and click New
    Put it in the Untrust zone so all VPN traffic will run through the Untrust->Trust policy
    Click unnumbered then select the untrust interface
    click OK

    Configure your VPN Gateway
    Click VPNs -> AutoKey Advanced -> Gateway
    click New
    Name the gateway "Firewall-B"
    Select custom security level
    Enter the public IP address of Firewall B
    Enter your preshared key
    Select untrust for outgoing interface
    Click advanced
    Select User defined (custom)
    in the 1st dropdown select pre-g2-aes128-sha
    Click return at the bottom
    Click OK at the bottom
    Create VPN
    Select VPNs -> Autokey Advanced
    Click New
    Name it FirewallB-vpn
    Select Custom
    Leave predefined checked and select your FirewallB-GW in the dropdown
    Click Advanced
    Select custom
    In 1st dropdown, select g2-esp-aes128-sha
    Turn on replay protection
    Bind to tunnel interface, and select your tunnel interface created earlier
    Turn on VPN monitor to bring up the VPN and keep it up with no traffic
    Click Return
    Click OK

    Add routes to the remote network. (You can configure the tunnel interfaces to run OSPF, or you can add a static addresses).

    To add a static.
    On the menu click Network -> Routing -> Destination
    Click new
    Type in the network address behind Firewall B
    Select Gateway
    Select your tunnel interface in the dropdown
    Click ok

    Add your policy to allow access to/from the remote networks.

    If you are not in NAT mode on your trust interface, check position at top when creating a Trust->Untrust rule or it will NAT the traffic to your untrust IP or DIP pool and then send it across the tunnel.
    Create an Untrust->Trust policy to allow access from the Network behind FirewallB to hosts or the network behind FirewallB.
    Repeat these steps on Firewall B. using Firewall A´s config.

    Regards

    Gavrilo


  • 4.  RE: Route-based vpn query
    Best Answer

    Posted 12-08-2008 08:48

    Hi All,

     

    Actually the problem has been solved. The track-IP was implemented on the outgoing interface (of VPN) which was tracking the peer IP address of CISCO router. Since after establishing VPN , The Peer IP of Cisco router becomes non-pingable, hence the Interface used to fo down.

     

    well, I have figured out all, Thank you all,

     

    regards,