ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSG20 to SSG550 ScreenOS VPN Issues

‎01-17-2011 07:44 AM

Hello,

 

I work for University Campus Suffolk and we have got a fairly geographically large campus with route based IPSec VPN's between end site SSG20's and the head end SSG520. All devices are running ScreenOS 6.2.0r6.0. We are migrating the head end VPN from the current 520M to a pair of SSG550 firewalls as part of a consolidation and I am testing the VPN configuration on a test SSG20.

 

The VPN is up on both devices but for what ever reason traffic is not routing correctly over the tunnel.

 

The VPN's are pretty much set up as in the KB with preshared keys, the same P1/P2 proposals, Proxy-ID with local and remote subnets.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14330

 

The only difference that I can make out is that the LAN side of the SSG550 is not the standard Trust zone (this is applied to a DMZ for some reason - don't ask!). I wouldn't have thought this would make much difference? On the policies that I have set up I can see traffic hitting the policy but I never see it on the remote SSG20 firewall policy.

 

I haven't dealt with Juniper firewall before this job so am not exactly a pro but have set up some of the current remote sites to the SSG520 so am not a complete beginner.

 

I have intentionally not included the config though would be only more than happy to include this if required.

 

Any help would be appreciated.

 

Thanks

 

Paul Woolnough - CCNP, CCDP
ICT Infrastructure Engineer - Networks
University Campus Suffolk
Tel 01473 338380
Mob 07540 672841

1 REPLY 1
ScreenOS Firewalls (NOT SRX)

Re: SSG20 to SSG550 ScreenOS VPN Issues

‎01-17-2011 04:28 PM

From you description I assume:

 

The tunnel connection is up and active for both Phase 1 & 2

On the sending side you see the traffic hitting the dmz to untrust policy on the SSG550 side with "age out" or similar

 

I would look for a disconnect in policy zones in the path from SSG550 to SSG20.

 

Is the untrust to trust policy in place on the SSG20

Is the remote SSG550 classified as untrust on the SSG20 and included in this policy

Are the tunnel.x interfaces on both firewalls assigned to the untrust zone

Do you see traffic hitting the trust to untrust policy on the SSG20 when pinging from that direction

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home