One of the amazing functionality of Juniper firewalls are the CLI easiness of creating and maintaining configurations, one such impressive example is VPN Configuration;
Say, we have 2 working Juniper firewalls and if we want to configure site to site vpn tunnels, then it would be as simple as 3 commands. Lets see how difficult it is;
First create a tunnel Interface :
set interface tunnel.1 zone <Zone>
set interface tunnel.1 ip unnumbered interface <Interface>
Create VPN parameters:
set ike <Gateway-Name> address <Remote Peer IP> <Mode> outgoing-interface <Interface-Name> preshare “Key” proposal <Propasal>
set vpn <VPN-Name> gateway <IKE-Gateway> sec-level compatible
set vpn <VPN-Name> bind interface <Tunnel-Interface>
Create a route to send the traffic over VPN:
set route <Remote-Network>/<Mask> interface tunnel.1
Example:
SiteA-Network———-Firewall-1————————-Firewall-2————SiteB-Network
Firewall-1 [ethernet0/1 - outside interface in zone 'untrust' , 1.1.1.1/30]
Firewall-2 [ethernet0/1 - outside interface in zone 'untrust', 2.2.2.2/30]
Firewall-1 [Internal Network is 20.20.20.0/24]
Firewall-2 [ Internal Network is 10.10.10.0/24]
So the configuration would look like this;
###################################################################
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet0/1
set ike “ToSiteB” address 2.2.2.2 main outgoing-interface ethernet0/1 preshare PASSWORD proposal pre-g2-3des-sha
set vpn “TOSITEB-VPN” gateway “ToSiteB” sec-level compatible
set vpn “TOSITEB-VPN” bind interface tunnel.1
set route 10.10.10.0/24 interface tunnel.1
###################################################################
Hello,
Well have a question —
Have 2 netscreen firewalls , 1 is a netscreen 5gt and the other is a Netscreen ssg20 .Would like to know as how i could go ablout creating a site to site vpn between them?
How to allow my mcrosoft pptp client behind the netscreen 5gt to connect to the remote ras server behind netscreen ssg20?
ThankS,
Jai
You can follow the same way on both sides as described in the post to get the tunnel up.
Now if you create a site2site connection then you wouldn’t need PPTP.
Cheers,
Rajesh
I did follow the same procedure mentioned in your post on both the netscreen Firewall (ie 5GT and SSG 20 ) but am not able to ping both the networks from either side but it shows that the tunnel.1 is ready on both end.Am quite new to netscreen , So could you let me knw how to go about next?
Thanks in advance
Regards
Jai
Though in the event log of both the Firewalls i get the message B16-SYSTEM INFO 00536 PHASE 2 MSG ID :Completed negotiations with SPI, tunnel ID , AND LIFETIMESECONDS/KB
So this basically means IKE negotiations have completed successfully, right. Yet am not able to ping to either of the networks for either end. I do have a doubt ie proxy id is 0.0.0.0/0.0.0.0 for both local and remote on both ends.Should i change it?
Thanks,
JAI
or should i add a poilcy from trust to untrust and untrust to trust with information about source network and destination network on both firewalls and connect it the tunnel vpn?
Though if i do that it pops up a peer to siteb have vpn with tunnel interface binding?
Thanks,
Jai
You need to have the policy allowing the traffic, as well as point the route to the tunnel on both ends.
Are you trying to ping from the netscreen device or behind it?
Cheers,
Rajesh
Well have a question as to whether setting up a single host site to site vpn is similar to the one created with subnets…
As in the client requires a single host entry site to site vpn connection to be setup from our office to their office…
So what I do have is a Public IP assigned to the untrust interface and have another secondary public ip on the untrust interface mapped to a server within our network( That is going to be mapped to their network).
And the client has provided us with 2 public ip (Lets say IP A and IP B) and according to them IP B is their VPN endpoint …..
My doubt is that while am configuring the VPN from our side the Auto key Advanced Gateway Ip address would be IP A right?
And while creating the Bidirectional policy in the source and destination address tab I will be filling it with the VPN endpoint single host public address (i.e. IP B incase of the client site and the secondary public ip that I have assigned to the server from our end) and that’s it right or do I need to do any additional steps?
And also the secondary public ip that I have mapped to the server within our network (static Nat) will be the VPN endpoint ip address right?
So it’s basically that a site to site vpn network has to be setup but with single host address entry.
We are using a Netscreen 5GT , Any inputs will be really helpful ..
Thanks and Regards,
Mac
>>My doubt is that while am configuring the VPN from our side the Auto key Advanced Gateway Ip address would be IP A right?
This should be IP B is their VPN termination point is IP B.
Cheers,
Rajesh
Let me just give you a brief scenario as in the client wants to establish a site to site VPN but with a single Host Public IP address from both ends, So they wont have any duplication of IP address that occurs from Private Ip address as they have many VPN’s set up.
(I.e. they provided us with 2 IP’s, one is a VPN endpoint IP and the other is public ip used within their tunnel and we too have provided them with 2 Public Ip one is our untrust IP and another public IP that has been mapped to our server within our network that has a private IP)
Now am setting a policy based site to site VPN and have configured both the IKE Phase and IPSec Phase but now since am only supposed to provide a single public host ip address from my network , what I have done is assign the second Public ip and mapped it to my internal network ip address.
But when I create the bi directional policy where the source is my single HOST public IP and destination is the client’s single public ip …
It dosent work as in if I give get sa… my status is inactive and the SPI is 0000000 ….. but if I give a my internal private ip in the source instead of the public ip the negotiations take place…So what do I do?
In Objects Address List In the trust zone can we enter the Source Public IP that I have mapped and than use it in the policy?
How do I go about getting my single host Public ip address to be used instead of the internal Private address?
Any inputs would be really Helpful?
Thanks in advance.
Regards,
Mac
You should be configuring the MIP and have a vpn policy for the MIP ip address.
Cheers,
Rajesh
MIP has been configured on the untrust interface to the specific server within the intranet and when you say policy do you mean from Untrust to Trust –> where source is set to Any and Destination is set to the Public IP address( ie mapped to the server within the intranet) Have done that …..or should i make the MIP policy bi directional….? or do i need to create MIP on the trust interface?
Am stuck in the policy part when i create the bidirection policy with source being my host public address and destination being their Host public addresss…There seems to be some issue with the MIP and the bi-directional poilicy ….
Could you throw some light on it?
Thanks in advance..
Regards..
Mac
You need to have a bidirectional policy from trust mip to untrust
Cheers,
Rajesh
ie let’s say i my internal server address is 192.168.2.45 and the Public ip is 220.x.x.x ie to be mapped to the server with ip 192.168.2.45 than..
In untrust interface —> i create a MIP where
Mapped IP is 202.x.x.x
Netmask is 255.255.255.255
Host IP address is 192.168.2.45
Host Virtual Router name is trust-vr
Now do i need to create a MIP in the Trust interface too , where the
Mapped IP would be 192.168.2.45
Netamsk is 255.255.255.255
Host Ip is 202.x.x.x
Host Virtual router name is trust-vr???
And than if i do create a bidirectional policy for the MIP what do i fill in the source and destination address?
As in destination address 202.x.x.x is fine but for source do i fill it as any or 192.168.2.45.
And after this again i need to create a bidirectional policy from my Host Public Ip address to the Client Public Ip address .
Thanks again,
Mac
My mistake as i have mentioned public ip as 220.x.x.x at one place and than have mentined 202.x.x.x at another. But both stand for the same.
Thank,
Mac
Hi
I am trying to form a VPN using SSG20. However, I got same problem when I form with different brand VPN router or firwall.
One of remote Router is LinkSys RV042. Configuration as following:
LAN(10.11.0.0/24) === (10.11.0.1)RV042(1.1.1.10) — (1.1.1.1)INTERNET(2.2.2.1) — (2.2.2.10)Cisco Router(192.168.1.1) — (192.168.1.2)SSG20(10.1.1.1) === (10.1.1.0/24)LAN
As I know that LinkSys can connect to SSG20, phase 1 and phase 2 are passed.
On SSG20, I created tunnel.1 as interface, static route bind on tunnel.1. But in the interface page, tunnel.1 is always down.
Please help me to check the reason why the interface never up.
Thanks a lot
Ben
Thanks for this. I got it working.
However I had to change the line
“set ike “ToSiteB” address 2.2.2.2 main outgoing-interface ethernet0/1 preshare PASSWORD proposal pre-g2-3des-sha”
to read
“set ike gateway “ToSiteB” address 2.2.2.2 main outgoing-interface ethernet0/1 preshare PASSWORD proposal pre-g2-3des-sha”
Hello,
I have the same scenario as described but I have two zones in Site A that I want to communicate through the tunnel to Site B.
Is it possible?
Thanks
Hi Guys,
One query.. I have 2 juniperssg5 device and need to establish site to site vpn tunnel. Is it possible to establish vpn tunnel between and privateip address and public ip address.
I mean, Device A have private ip address subnet and Device B have public ip address subnet…so is it possible to establish site to site vpn tunnel ? How to do it ?
Thank you
Yes you can. Basically all what you have the difference is one side private IP as interesting network and the other end as public IP – it should work. Normally both sides will be private IP. The technology works on the same principle.
Cheers,
Rajesh
Thank You Rajesh….Can I have your email id.