ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Source route through VPN tunnel regardless of destination

09.28.10   |  
‎09-28-2010 07:29 AM

ISG 1000 OS 6.1.  We have a LAN to LAN VPN tunnel already setup.  The existing production network gets to the public Internet and over the tunnel through the ISG without issue, as it should.  We need to force our newly created 192.168.14.0/24 and 192.168.24.0/24 subnets through the VPN tunnel regardless of destination; public Internet and all.  Existing production network will remain as it is.  I am posting this for another engineer on the team.

 

Thank you in advance for your assistance,

NaviNet IT Engineering

 

9 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

09.28.10   |  
‎09-28-2010 08:05 AM

I would put them into a different routing instance along with the external connection.  This would be the most secure way to do things.  The other way would be to add a source route for those subnets pointing to the tunnel, but if the goal is to truly segment the traffic, I would recommend the seperate VR.

 

Ron

ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

09.28.10   |  
‎09-28-2010 08:08 AM

I will pass this on to the engineer who is working on this.  I will return with the results.

ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

09.28.10   |  
‎09-28-2010 09:34 AM

We are a semi-new IT engineering team so the engineer that is now responsible for this device is asking for the CLI commands to do what you are suggesting.  We are learning these devices on the fly, not too fun right now.

 

Can you assist?

 

ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

09.28.10   |  
‎09-28-2010 04:15 PM
well, the multiple VR config is a bit complex to try to detail without all of your interfaces / zones, but here is the source-routing one... set vrouter trust-vr source-routing enable set vrouter trust-vr route source 192.168.100.0/24 interface tunnel.1 set vrouter trust-vr route source 192.168.101.0/24 interface tunnel.2 Something along those lines (with networks, interfaces, vr name etc. changed to fit your network). Ron
ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

09.29.10   |  
‎09-29-2010 05:00 AM

You are correct, it is a little complex.  I've been trying to get up to speed on this and three weeks since I started here is certainly not enough time.  I know we want it to go over the pre-existing and functioning VPN tunnel.2 so will this work?

 

set vrouter trust-vr source-routing enable

set vrouter trust-vr route source 192.168.14.0/24 interface tunnel.2

set vrouter trust-vr route source 192.168.24.0/24 interface tunnel.2

save

 

I'm hoping that this will FORCE ALL traffic regardless of its destination to use the VPN tunnel.2.

 

Thank you again for your assistance.

ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

09.29.10   |  
‎09-29-2010 09:02 PM

That looks good to me.

 

Ron

ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

09.30.10   |  
‎09-30-2010 03:59 AM

 


pemnet wrote:

 

I'm hoping that this will FORCE ALL traffic regardless of its destination to use the VPN tunnel.2.

 

Thank you again for your assistance.


Yes, this is exactly how source routing works.  Which means even the connect destinations are sent down the tunnel.  So this will only work for you if these two subnets do NOT communicate with each other.  If they do, you will need to configure Policy Based Routing (PBR).  Which is somewhat more complicated.

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

09.30.10   |  
‎09-30-2010 05:06 AM

Excellent, thank you gents.  I will report back with the end result.

 

Much appreciated.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Source route through VPN tunnel regardless of destination

10.05.10   |  
‎10-05-2010 07:56 AM

Your suggestions worked.  We also had to move a rule above another rule as well and that was it.  A few route changes and we were good to go.

 

Thank you both very much for your assistance.