Screen OS

We are looking at using a separate virtual router as described in the VPN section of the NetScreen documentation.

I understand that we will need to have routes from our Trust-VR pointing to our VPN-VR for each of the remote networks. What is not clear to me is if we also need routes to the remote VPN gateways on the VPN-VR pointing back to the Trust-VR?

For example let’s say our remote network is 192.168.1.1/24 which is behind the VPN gateway 10.1.1.1. We need a route for 192.168.1.1/24 in our Trust-VR pointing to our VPN-VR. But do we need a route for 10.1.1.1 in our VPN-VR that points to Trust-VR? The Trust-VR would then presumably use its default route to route it out over Internet to the remote gateway.

Hi,

 

Just tested this, you shouldnt need the route to allow the vpn to establish.

 

For exmaple.

 

192.168.1.0/24 ---- ssg5(A) -----1.1.1.1/24-------1.1.1.2/24----ssg5(B)------10.1.1.0/24

 

 

If ssg5(A) you need to configure a route in the trust-vr for 10.1.1.0/24 to vpn-vr and a route in the vpn-vr 10.1.1.0/24 interface tunnel.1

 

also in the vpn-vr you need a route 192.168.1.0/24 to trust-vr

 

Thats all you should need.

 

The vpn setup will use the default route in the trust-vr to be able to establish the vpn to ssg5(B) public ip of 1.1.1.2.

 

Hope this explains what your after.

 

Regards

 

Andy

Awesome, that's what I am looking for and thanks for the response.

 

Do you know that if once a packet enters a tunnel interface, does the trust-vr always handle the routing of the encrypted packet?

 

All encrypted packets will be handle by the virtual router that the interface that is configured for the VPN is bound to.

 

So for instance if the VPN is bound to a interface (eth1) that is in the trust-vr then one the packet leaves the tunnel interface encrypted it will used the trust-vr to route out eth1 because that is where the interface is bound so it has to use that routing table. If the interface was in a different vitual router then it would use that VR.

 

Hope that answers your question.

 

Andy

Actually I now have more 🙂

 

Maybe I didn't explain the scenario correctly up above, but in the netscreen guide it talks about creating a loopback interface connected to the VPN Zone and then use unnumbered tunnel interfaces also in the VPN zone that "borrow" the IP address of the loopback. 

 

In this case the VPN would be bound to the unnumbered tunnel interface which is in the VPN Zone handled by VPN-VR. 

 

So if all encrypted packets are handled by the virtual router that the interface is configured for the VPN and that interface is one of those unnumbered tunnel interface, wouldn't that mean that the VPN-VR would handle the packet?

 

Or am I not understanding something else?

 

Thanks for your quick help! We are moving from Cisco to Juniper and I am just trying to get my head wrapped around all the option. So for a I really dig the Netscreens.

Hi,

 

You are correct that you need to create a loopback interface in the VPN zone. The tunnel.1 interface binds to this for internal reachability. But isnt used for the vpn connect to the other device.

 

On the Phase 1 Config of the VPN you specify the IP address of the remote VPN device and the out going interface (the interface that can route to the remote device, ie untrust interface). This is the part that will use the route.

 

Hope this answers your question.

 

Andy

 

 

So if we were using both a Trust-VR and a Untrust-VR in addition to the VPN-VR. Then the encrypted packet would be routed based on the Untrust-VR since it would be connected to the Untrust Zone?

Yep

Awesome, Thanks!