ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

route based site-to-site VPN

09.08.09   |  
‎09-08-2009 09:05 PM

I am wondering if following is possible

 

Site 1

 

Firewall1 (FW1):

ETH0/0 - Connected to LAN (172.16.20.1/24) - Trust zone (NAT mode)

ETH0/1 - Connected to Internet (public IP from pppoe) - Untrust zone (route mode)

 

Site 2

 

Firewall2 (FW2):

ETH0/0 - Connected to LAN (172.16.30.1/24) - Trust zone (NAT mode)

ETH0/1 - Connected to internet (public IP from pppoe) - Untrust zone (route mode)

 

Now we know that a tunnel between FW1-ETH0/1 and FW2-ETH0/1 is possible. But we want to create a tunnel between FW1-ETH0/0 and FW2-ETH0/0.

 

Is it possible? If it is possible then how we are going to acheive that and what changes we will need to make?

 

Thanks

8 REPLIES
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 06:28 AM

If I understand your setup right, you need to terminate the VPN on the Untrust interface in each case. This will provide a tunnel so that 172.16.20.0/24 and 172.16.30.0/24 can pass traffic to each other.

As you are using private IPs on Eth0/0 in each case, it is not possible to terminate the VPNs here,as to route to the other site, the traffic neeeds to go over the internet.

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 10:41 AM

If the tunnel interface is bound to the Trust zone and VPN traffic involves a user on the Trust zone, a policy is not needed but an Intra-zone policy (Trust to Trust) can be used.

 

So just change the tunnel interface to the trust zone for example :

 

set interface tunnel.1 zone trust

set interface tunnel.1 ip unnumbered interface ethernet0/0

 

The rest of the config would remain same.

 

Thanks

Atif

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 04:52 PM
Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case
ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 04:57 PM

Hi,

 

I understand the issue correctly , you would like to bound the VPn to the trust interface so you need to change the following things:

 

set interface tunnel.1 zone trust

set interface tunnel.1 ip unnumbered interface ethernet0/0

 policy is not needed but an Intra-zone policy (Trust to Trust) can be used .

 

The rest of the config would remain same.

 

Thanks

Atif

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 05:00 PM

I understand what you are saying. Do we need to change ETH0/0 from NAT mode to Route mode?

 

Also, when you say Trust to Trust Policy that means tunnel.1 of FW1 to tunnel.1 of FW2.

 

Regards

RutledgeIT

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 05:27 PM

 

"Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case "

Hi Atif,

 

The above comments were not for you. I know you have got my point and given me right suggestion.

 

Cheers !

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author rutledgeIT
‎08-26-2015 01:27 AM

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 05:35 PM

No problem dude.

 

 

Atif

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 07:20 PM
do we need add all both interfaces into same zone and route mode?