ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

05.20.11   |  
‎05-20-2011 12:02 PM

I followed the instructions at http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7166 on creating a lan to lan vpn tunnel between my sonicwall ns 240 and my juniper.  The tunnel shows up on both ends.   However, on the sonicwall side i can ping through to the juniper but nothing else on the juniper network.  From the juniper side, i can't ping anything or get to anything on the sonicwall side.  

 

On both the sonicwall and the juniper the tunnels show as up.  On the juniper it shows active and link as up.   The command get sa shows the status as a/u. 

 

I realize the instructions above are for a juniper with a slightly different os version but i followed them as best i could. 

 

Does anyone have any ideas?  or troubleshooting steps i would take?

6 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

05.20.11   |  
‎05-20-2011 03:38 PM

I have about 50 Sonicwall to SSG tunnels running fine.  So they do work together.  From the sound of the symptoms there is probably something wrong with the policies on one or both sides. Here are a few thoughts.

 

I notice the instructions tell you to use the all local subnets object in the sonicwall addresses.  This can create multiple local network objects for the tunnel.  You probably want to use the lan primary subnet object as a single address.  Be sure not to pick the lan primary IP which is just the interface address.

 

I also notice they have explict proxy id configured on the sonicwall policy.  I never use those  and just leave it blank.

 

On the SSG side confirm the address objects have the correct networks and in the right zones.

 

Here is the troubleshooting tree for a VPN that comes up and does not pass traffic.  You are using a policy VPN in the tech note you list.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB9276

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

05.20.11   |  
‎05-20-2011 04:19 PM

I assume you mean the Peer IKE ID?  i don't see proxy id on the sonicwall?     

 

I'm not sure what you mean when you say  i should use the " lan primary subnet object as a single address?"   The only choices i see are lan subnets and the lan interface ip.     Should i create a new address object?

ScreenOS Firewalls (NOT SRX)

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

05.20.11   |  
‎05-20-2011 04:31 PM

Sorry about that, yes I meant peer not proxy.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

05.21.11   |  
‎05-21-2011 08:42 AM

what about " lan primary subnet object as a single address"?   i don't quite understand what you mean since by definition a subnet is a range of ip addresses and not a single address?

ScreenOS Firewalls (NOT SRX)

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

05.21.11   |  
‎05-21-2011 11:34 AM

Sonicwall enhanced OS uses address objects (single address notation) and address groups (contain multiple address objects.

 

LAN primary subnet is an address object that is automatically set to the address range assigned to the LAN.

 

LAN Subnets is a group that automatically has LAN primary subnet and any other locally configured LANs on the firewall.  So this may or may not be just the single address assigned to the primary LAN.  If there are multiple addresses in this group you will get multiple proxy-id pairs on the Sonicwall side but only the single pair presented on the SSG side.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: policy based vpn between sonicwall ns 240 and Juniper ssg5 net os version 6.1

05.23.11   |  
‎05-23-2011 08:40 AM

OK.  i understand what you're saying.   However, there is no lan primary subnet as an address object.  I only have one subnet in the office anyhow.  

 

Actually i was able to get the vpn to work by moving the vpn policy on my ssg to the top and now everything looks good. 

 

thanks for your help!