Screen OS

Hello!

We have to setup a VPN between our server behind Netscreen 5200 firewall and remote provider firewall which is a non ScreenOS device. We are using ScreenOS ver 5.4 but OS upgrade can also be done. The provider site has two gateways 2.2..2.2 and 2.2.2.1. The Subnet of provider servers are also discontiguos 10.1.1.0 and 172.16.1.0

Following is the scenario

                                                                                                                                                             10.1.1.0  
192.168.1.0                    GW 1.1.1.1       VPN                       GW1 2.2.2.1                                   --------------
-----------------[Netscreen]-----------------------------------------------------------[ASA-PROVIDER]=|
                                                                                                   GW2 2.2.2.2                                     172.16.1.0
                                                                                                                                                              ---------------

Now what is the best way to achieve this? Say If I want to go with Policy based VPN what will I write in the Proxy ID local IP and Remote IP? Also what about the two gateways present at the provider end. How can we configure both gateways bound to same VPN.

Kind Regards,

Raheel

The simplest setup for this would be to use Policy VPN and the VPN group feature.  I am not sure if VPN groups are available in 5.4 they are definately in version 6.x.

The multiple proxy id are automatically created when you make the policy for the traffic and use the "tunnel" action for this.  So you can create the two networks and the two policies that tunnel on the same AutoKey IKE object.

I have a configuration outline posted in the Library on the this forum.

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Policy-VPN-with-Dual-WAN-Auto-Failover/m-p/82570#M238

Thanks for you reply. In your example config. you have assumed remote gateways bound to two different outgoing interfaces. Can we configure two remote gateways and bound them to the same outgoing interface? because we have just a single internet connection and just one outgoing interafce on our Netscreen.

You are correct.  In the example the dual lines are on the ScreenOS side.  In your setup the dual lines are at the remote site.

So the gateways have different ip addresses but the same out going interfaces instead of the same ip address with different out going interfaces as in the example.

In both cases the failover process is the same by using the vpn group bound to the AutoKey IKE.

So does this configuration looks good for my scenario?

set vpn-group id 1

set ike gateway "Provider" address 2.2.2.1 Main outgoing-interface "redundant1.51" preshare "6A==" proposal "pre-g1-des-md5"
set ike gateway "Provider" cert peer-ca all
set ike gateway "Provider2" address 2.2.2.2 Main outgoing-interface "redundant1.51" preshare "7A==" proposal "pre-g1-des-md5"

set vpn "Provider_APP" gateway "Provider" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"  "g2-esp-aes128-sha"
set vpn "Provider_APP_2" gateway "Provider2" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"  "g2-esp-aes128-sha"

set vpn-group id 1 vpn "Provider_APP" weight 2
set vpn-group id 1 vpn "Provider_APP_2" weight 1

set policy id 393 name "Provider_APP" from "DMZ" to "Untrust"  "DMZ_Server" "Provider APP Server-1" "tcp-9999" tunnel vpn-group 1 log

Your policy is set to allow tunneling in one direction only.  This is fine if the traffic is always initiated in this direction only on the allowed ports.  Will you need the reverse direction for this or only DMZ to Untrust?

Everything looks correct.

Yes, this will always be from DMZ to untrust due to the nature of application.

Thanks a bunch