Screen OS

Hi

Is is it possibly to route all traffic via vpn(route based) from branch to Central an then without a proxy to the Internet.

On a Cisco ASA its not possibly ,,, any issue here on Juniper?

regards

Chris

I can't see any issue with this setup. The Central will have (minumum) three interfaces:

- Clear interface to Internet (int A)

- Tunnel interface to Branch (int B)

- LAN interface (Int C)

The routing table in Central can have a default route (0.0.0.0/0) via Int A and a branch route via Int B. Both routes could be in the same virtual router

The Branch will also have three interfaces:

- Clear interface to Internet (Int A)

- Tunnel interface to Central (int B)

- LAN interface (int C)

In this case you'll have two default routes (0.0.0.0/0). A "public default route" via Int A and a "privade default route" via int B. You just have to put these routes in different Virtual Routers:

Public virtual router with:

* Int A +

* Public default route and

Private virtual router with:

* Int B +

* Int C and

* Private default route

Xavi

Hi

This is no new installation...

Branch Office makes a VPN to Central, and local Internet outbreak.

Now IP Adress changed and all Taffic is Routed via VPN to Central.

Now i only have to make a policy in the Central Firewall that allows traffic vom the branch subnet to the Internet.

Correct?

regards

Chris

To me it looks as easy as you say it. But I still think you'll have to build two Virtual Routers in the Branch because, otherwise .. how is the Branch Firewall going to know you want to send Internet traffic through the VPN and not directly?

XAvi

mhhhh, you think a router 0.0.0.0/0 interface tunnel.1 is not possible? or a second default route with a worse metric...?

Maybe a policy based VPN Tunnel is the better way..

Sure. Policy Based Routing is an alternative to a secondary Virtual Router

Make myself a little lab, and yes it's the better way

thanks

cheers

Chris

ups

another problem, traffic is going from branch to central side... but when the traffic should go then to the internet it does not work...

here a deb flow basic from central side:

 **** pak processing end.
****** packet decapsulated, type=ipsec, len=128******
  ipid = 36050(8cd2), @03831010
  ethernet0/0:192.168.1.1/58300->195.3.96.67/1024,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.1.1->195.3.96.67) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 26 for 195.3.96.67
  [ Dest] 26.route 195.3.96.67->10.144.60.254, to ethernet0/0
  routed (x_dst_ip 195.3.96.67) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/0
  hub-and-spoke packet, need loopback
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 195.3.96.67, port 29813, proto 1)
 policy_flow_search  in tunnel pak_ptr policy: id: 22, from zone 1 -> 2
  No policy matched for tunnel traffic, logging for:
  VPN policy= 22: szone 1 dzone 2 pid 22 ports 8007475 iphdr 3831010
  log this session (pid=22)
  **** pak processing end.

how to make a rule in central???

regards

chris