ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

route based site-to-site VPN

09.08.09   |  
‎09-08-2009 09:05 PM

I am wondering if following is possible

 

Site 1

 

Firewall1 (FW1):

ETH0/0 - Connected to LAN (172.16.20.1/24) - Trust zone (NAT mode)

ETH0/1 - Connected to Internet (public IP from pppoe) - Untrust zone (route mode)

 

Site 2

 

Firewall2 (FW2):

ETH0/0 - Connected to LAN (172.16.30.1/24) - Trust zone (NAT mode)

ETH0/1 - Connected to internet (public IP from pppoe) - Untrust zone (route mode)

 

Now we know that a tunnel between FW1-ETH0/1 and FW2-ETH0/1 is possible. But we want to create a tunnel between FW1-ETH0/0 and FW2-ETH0/0.

 

Is it possible? If it is possible then how we are going to acheive that and what changes we will need to make?

 

Thanks

8 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 06:28 AM

If I understand your setup right, you need to terminate the VPN on the Untrust interface in each case. This will provide a tunnel so that 172.16.20.0/24 and 172.16.30.0/24 can pass traffic to each other.

As you are using private IPs on Eth0/0 in each case, it is not possible to terminate the VPNs here,as to route to the other site, the traffic neeeds to go over the internet.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 10:41 AM

If the tunnel interface is bound to the Trust zone and VPN traffic involves a user on the Trust zone, a policy is not needed but an Intra-zone policy (Trust to Trust) can be used.

 

So just change the tunnel interface to the trust zone for example :

 

set interface tunnel.1 zone trust

set interface tunnel.1 ip unnumbered interface ethernet0/0

 

The rest of the config would remain same.

 

Thanks

Atif

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 04:52 PM
Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case
ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 04:57 PM

Hi,

 

I understand the issue correctly , you would like to bound the VPn to the trust interface so you need to change the following things:

 

set interface tunnel.1 zone trust

set interface tunnel.1 ip unnumbered interface ethernet0/0

 policy is not needed but an Intra-zone policy (Trust to Trust) can be used .

 

The rest of the config would remain same.

 

Thanks

Atif

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 05:00 PM

I understand what you are saying. Do we need to change ETH0/0 from NAT mode to Route mode?

 

Also, when you say Trust to Trust Policy that means tunnel.1 of FW1 to tunnel.1 of FW2.

 

Regards

RutledgeIT

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 05:27 PM

 

"Sorry, I think you have misunderstood. I want to terminate the VPN on the Trust interfaces in each case "

Hi Atif,

 

The above comments were not for you. I know you have got my point and given me right suggestion.

 

Cheers !

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author rutledgeIT
‎08-26-2015 01:27 AM

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 05:35 PM

No problem dude.

 

 

Atif

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

ScreenOS Firewalls (NOT SRX)

Re: route based site-to-site VPN

09.09.09   |  
‎09-09-2009 07:20 PM
do we need add all both interfaces into same zone and route mode?