Hi,
First, I setup ethernet0/1 (1.1.1.254/24 ) & ethernet0/2 (2.2.2.254/24)
Secound, I setup ethernet1/0 (3.3.3.254/24) and MIP --> NAT Policy
tks
↧
Re: mutiple untrust adsl , from trust to untrust only Translated Source Address through first one adsl
↧
Dial-up VPN to SSG-350 (site to site VPN)
Hello, A dialup VPN client want to access some services in one of the VPN sites.
Dialup VPN Client <----------> Site A <----------> Site B
172.31.99.63 192.168.135.0/24 192.168.96.0/20
Site A and Site B is forming site to site VPN Dialup
VPN can access the services in Site A
I have changed site A firewall policy proxy ID (untrust VPN client to trust)
after this modification, I ping to 192.168.99.109 and got below result.
2016-09-01 12:51:19 172.31.99.63:1103 192.168.99.109:1 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied
2016-09-01 12:51:09 172.31.99.63:1101 192.168.99.109:1 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied
2016-09-01 12:51:04 172.31.99.63:1100 192.168.99.109:1 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied
Refer to one of the topic, I should add firewall policy 172.31.99.xx/24 to 192.168.96.0/20. http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Dial-up-VPN-to-SSG-20-multiple-zones/td-p/1946
However, this topic is showing route based VPN. Both site A and site B firewall are using policy based.
Could anyone show me what I should config in order to make Dialup VPN client can access site B services?
Many Thanks =)
↧
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hello,
On Site A, Is dial up VPN using same interface to terminate as that of Site to Site VPN with B?
Regards,
Rushi
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hello,
I think one of these two tunnels should be route based VPN.
Regards,
Rushi
↧
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Can I make another route based tunnel in the same outgoing interface?
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hello,
For the same peer B when policy based with peer B is active?
No.
Regards,
Rushi
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hello Rtilak,
Sorry, I don't get your meaning. Do you mean Site A to Site B Policy based active or not?
It is in active state. Site A (single subnet) is accessing Site B (mulit subnets).
All of these polices are in active
Thanks
↧
Re: mutiple untrust adsl , from trust to untrust only Translated Source Address through first one adsl
Sorry for the confustion, I am asking about your security policy setup.
Your MIP security policy should be before your general internet policy on this menu:
Policy > Policies
Trust to Untrust
Also enable logging for the rules so we can see what actions are taken for the traffic on which policy.
Finally, is your general out bound NAT using policy interface NAT or interface mode on bgroup0 interface. If you still have interface mode on, this should be turned off and source NAT added to the advanced tab of the general outbound policy.
↧
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hello,
You can have combination of route & policy based tunnel using same external interface.
Regards,
Rushi
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hello,
Could you show me what configuration that I need to do?
Will it cause the existing tunnel temporary disconnected during the reconfiguration?
Thanks
↧
Route Sync in ISG
For the command - "set nsrp rto-mirror route", if we are using VSD-ID 1 (one VSD only). Can i go ahead with this command Or the VSD-ID have to have be 0. If so, is there any other way to sync the routing table for dynamic protocols on the standby firewalls.
↧
Re: Route Sync in ISG
This command is only supported for vsd 0.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15690
↧
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Can anyone help for this?
Thanks =)
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hi,
I hope, nothing would have been changed in the config. Can you please get the below information:
1: get sa
2: get sa id <id number of the dialup vpn from the previous command> , e.g. get sa id 1
3:debug flow basic for the working and for the non working stream?
https://kb.juniper.net/InfoCenter/index?page=content&id=KB12208&smlogin=true&actp=search
4: What client are you using?
Thanks,
Vikas
↧
Re: mutiple untrust adsl , from trust to untrust only Translated Source Address through first one adsl
Policies are fine. This sounds more like a routing issue. In order for trust to untrust traffic to use the MIP, the egress interface has to be the one that the MIP is configured on. In this case, it looks as though the egress interface is eth0/1, but the MIP is on eth1/0. You have a few options for this.
1. Configure a source route for 192.168.7.144 that points to eth1/0
2. Configure the MIP on a loopback interface and bind all of your untrust interfaces to that loopback group.
The second option is probably the easiest.
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
You are probably going to want to do a route based dial up VPN. Think of this as a hub and spoke VPN, with the dial up client being one of the spokes. Also, you are going to want to configure an IP address pool, so that you can route the traffic back from site B to site A, then to the dial up VPN.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15272 talks about route based dial up VPNs.
↧
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hello Vikassingh
Dialup VPN Client <----------> Site A <----------> Site B
172.31.99.63 192.168.135.0/24 192.168.96.0/20
I tried to add untrust to untrust policy in site A and added a route in site B
Both site A and B are using default route and policy based VPN.
I'm using NCP Secure Client
Please refer to the attachment for the log captured
Many Thanks
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
I understand that below is your client tunnel:
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
0000801b< 223.197.162.232 500 esp:3des/sha1 d7754bae 3182 unlim A/D 19 0
0000801b> 223.197.162.232 500 esp:3des/sha1 8ba81672 3182 unlim A/D -1 0
As I requested earlier, I will need 'get sa id <id> output as well to see the proxy ID etc. In this case case the command to get the sa details would be 'get sa id 801b' .
Also, from debugs I see you are trying to ping 172.31.99.63 to 192.168.135.1 which migh be working. however, packets are not seen in the debug because the filters were not added. You need to have have bidirectional filters and no need to add filter for the tunnel end points. just have filters for the actual IPs : ex if you machine is getting IP x.x.x.x(IPSec client IP) and the destination you are trying to ping is y.y.y.y then two filters will be needed as below
set ffilter src-ip x.x.x.x dst-ip y.y.y.y
set ff src-ip y.y.y.y dst-ip x.x.x.x
Please collect the complete sa details and the debug logs with the appropriate filter for working and the non-working traffic. Also, please let me know what IPs you are pinging during the test.
Thanks,
Vikas
↧
Re: Dial-up VPN to SSG-350 (site to site VPN)
Hello Vikas,
I made two filter
1. 172.31.99.63 to 192.168.135.1.
2. 172.31.99.63 to 192.168.99.109
In firewall policy, I found below traffic flow.
you can refer to the attachment
Thanks,
Kay
↧