Screen OS

Hi all, i have 2 diffrent sites, on both sides we have a SSG140, i want to create a VPN between them to make the site 1 access a mail server securelly on site 2.

Any documentation on this?

Thanks in advance.

The instructions for a route based VPN are detailed in KB14330.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14330

Create a VR

Create Zones and Bind to required VR's

Create tunnel Interfaces

Create Gateway

Create AutoKey IKE (Using the gateway configured)

Create the Routes

Creat the Policies

Voila - or do you want the actual command structure for this?

Sorry, lets say you are using the GUI....

Is this fresh from the box or not?

Try the following and make the other end the opposite

1: Network / Routing / Virtual Routers

2: New VR

3: Name <whatever name you want to call the VR> (You dont have to do this bit, but is good for keeping it secure).

Apply and OK

4: Network / Zones

5: New

6: Name <Whatever you want to call it>

7: Virtual Router name <whatever you just made in 3 above - or - Trust-vr>

8: Network / Interfaces / List

At this point either you have the Interfaces in a bgroup or they are seperate, if in a group assign the IP to the group or if single assign to single interface. So, if your interface, for example is in bgroup zero do this (I will use made up addresses):

9: Edit bgroup0

10: Zone name = <whatever you called it in step 6>

11: Static IP = 10.78.1.254 / 24

12: Interface mode = Route

13: Manage services = Whatever you want to manage the interface - web, ping, ssh   etc

Now create the tunnel:

14: Make sure TunnelIF is in the drop down menu (Top right of main window) and click on "new"

15: Next available tunnel should be shown, but for this example I will use "tunnel.1"

16: Zone = <Whatever you called it in step 6>

17: Unnumbered

18: Interface = Either the group (as mentioned before) or the actual interface

19: Untrust port next (Either E0/0 or on the 140's I think it is E0/1)

20: Zone name = Untrust

21: Static IP = 10.99.78.2 / 24

22: Managed services - Whatever you want to manage the interface

23: Click Apply (A route option then appears)

24: Click on the Route radio button then apply and OK

25: VPNs / Autokey Advanced / Gateway

26: New

27: Gateway Name = <Whatever you want to give it>

28: Static IP address = 10.99.78.1 / 24

29: Click Advanced

30: Preshared key = whatever you want it to be (Must be the same both ends)

31: Outgoing interface (Untrust) = Either E0/0 or E0/1, whichever you have as the untrust interface

32: Security level = Custom = pre-g2-3des-sha

33: Mode initiator = Main (ID Protection)

34: Return and OK

35: VPNs / AutoKey IKE

36: New

37: VPN Name = Whatever you want to name it

38: Remote Gateway = (Whatever you called the gateway at 27 above)

39: Click Advanced

40: Security level = custom - g2-esp-3des-sha

41: Bind to = for this example it was tunnel.1 (But whichever tunnel was ssigned earlier in this procedure

42: Proxy ID = Ticked

43: Local IP = Your local Network

44: Remote IP = The remote network

45: VPN Monitor = ticked

46: Return and OK

47: Network / routing / destination

48: In drop down list (Top right) choose the VR the zone was in (Trust-vr or the VR you created)

49: New

50: IP Address / Netmask = 0.0.0.0 / 0

51: Click Gateway radio button

52: Interface = in our case tunnel.1

53: Leave Gateway IP Address as 0.0.0.0

54: Permanent = Clicked

55: Click OK

56: Policy / Policies

57: From Zone you named to Untrust

58: New

59: Whatever you want to allow through

60: From Untrust to Zone you named or trust

61: Whatever you want to allow through

You could add a couple of other policies if you wanted, but that part is straightforward.

At the other end, obviously do the same, but use the other gateway addresses, so the opposit.... for example, on thie end we use 10.99.78.2 as the address this end and 10.99.78.1 as the remote. So on the other end it would be 10.99.78.1 as local and 10.99.78.2 as remote.

Good luck and let me know if you have any other issues.

now, that was better than opening a case with juniper, as this is a production system, i will give it a shot on saturday.

Really appreciate!

my SSG is already configured with a lot of VR, TRUST and UNTRUST zones...

should i post my config here? would it make it easier?

Yes, you can post the config here..... I would xxx out the Public addresses (If any) and any other important IP's.

I am doing a lot of Configs here on SSG5, SSG20 and SSG140's so will try and respond as soon as I can.

From what I can dig out from our configs, although I am pushed for time so may have missed something.... here is the CLI information.... it is a test network connected on site, so the IPs are just made up so I dont mind them being here....

set vrouter name "Dirty_Net" id 1025
set vrouter "Dirty_Net"
set zone id 100 "Corp"
set zone id 101 "Dirty_Net"
set zone "Dirty_Net" vrouter "Dirty_Net"
set interface "ethernet0/0" zone "Untrust"
set interface "bgroup0" zone "Corp"
set interface "tunnel.1" zone "Trust"
set interface bgroup0 port ethernet0/1
set interface bgroup0 port ethernet0/2
set interface ethernet0/0 ip 10.10.10.2/24
set interface ethernet0/0 route
set interface bgroup0 ip 10.148.148.254/24
set interface bgroup0 route
set interface tunnel.1 ip unnumbered interface bgroup0
set interface tunnel.1 mtu 1500
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
set interface bgroup0 manage ping
set interface bgroup0 manage ssh
set interface bgroup0 manage telnet
set interface bgroup0 manage web
set ike gateway "To_SSG140" address 10.10.10.1 Main outgoing-interface "ethernet0/0" preshare "AqlDLRUaNgOQfKsGAFC4pX0cgqn/KXsRNg=
=" proposal "pre-g2-3des-sha"
set vpn "Corp_To_SSG140" gateway "To_SSG140" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "Corp_To_SSG140" monitor
set vpn "Corp_To_SSG140" id 0x1 bind interface tunnel.1
set vrouter "untrust-vr"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "Dirty_Net"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 2
exit
set route 0.0.0.0/0 interface tunnel.1 permanent
exit
set vrouter "Dirty_Net"
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "Dirty_Net"
exit

 This should correspond, I hope, with the GUI procedure I gave you

will post asap.

Amazing tutorial!

Everything is working perfectly!

Now is it possible to add a secondary trust on one of the sides to access the same resource on the other side?

found out if i dont add on the PROXY ID, i can give access to a lot of servers...

Apologies for the late response. Glad the tutorial helped and yes, if you don't add the Proxy ID you can achieve different results.