Solved

Can't Route Traffice Between 2 Branch Offices Using Netscreen Routers

Posted on 2008-10-31
7
695 Views
Last Modified: 2012-05-05
I have inherited a network consisting of a main operation office and 2 branch offices. For conectivity, the main office uses a Juniper Networks Netscreen NS-25 and the branch offices use  Netscreen NS5XP & NS5GT. By looking at the existing policies I can see that the main office is connected to each branch office via VPN tunnel. At the main office I can ping each branch office and vice versa, however while at branch office 1, I cannot ping branch office 2.

I'm sure that what I am trying to do is possible, I just am too unfamiliar with JUNOS. Essentially I would like to do this: Route traffic between 2 branch offices using the main office as a go between. Consider this diagram of the current network:

Branch 1 <----VPN----> Main                              Branch 2 <----VPN----> Main
(dedicated IP on both public sides)                   (Dynamic IP at Branch 2)

I would like to accomplish the following:

Branch1 <---- Main ----> Branch2

Any suggestion would greatly be appreciated.
0
Comment
Question by:ezg5016
7 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22856802


What are you pinging at branch office 2? Hopefully it is something inside and not the VPN termination point?


harbor235 ;}
0
 

Author Comment

by:ezg5016
ID: 22857489
From Branch office 1 segment (192.168.253.1/24) I can ping main office segment (10.1.1.1/24) and vice versa. Same holds true for Branch office 2. Server farm lives in the main office segment so both branches can ping within.

We installed a data collection device within the branch office 2 segment (10.3.1.1/24) but the data monitoring software is installed at the Branch office 1 segment.

I hope this helps.
0
 
LVL 5

Accepted Solution

by:
thechaosrealm earned 168 total points
ID: 22924558
Here's how the NetScreens work. To set up a secure network between two sites, you must configure a VPN tunnel. If you have multiple sites, you must configure a VPN tunnel between every two sites you want to see each other.

Branch 1 <----> Main <----> Branch 2  

What this is showing is that Branch 1 and Main can communicate both directions and Branch 2 and Main can communicate both directions. If you want Branch 1 and Branch 2 to communicate, you must create an additional tunnel.

Branch 1 <----> Main <----> Branch 2
Branch 1 <----> Branch 2

The steps for doing this are quite similar as they would be for setting up Branch 1 to main, but let me know if you need help with that portion.


0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Assisted Solution

by:DeanGoldhill
DeanGoldhill earned 166 total points
ID: 23172439
I would say the comment my thechaosrealm: is the best approch.

However, this would not use the main office as a 'go through'.
But I dont think using the main office as a 'go through' is a good idea, traffic is will much slower and I dont see any benifits!

But if you really want to do it like that,  you should be able to just create a route on each client (routing traffic for the other client to the main office) and a policy on the main office that says traffic going from client 1 must use the VPN tunnel to client 2.

Any jsut by the way, Netscreens and SSG's run on ScreenOS not JUNOS (just in case you try load wrong software).

Good Luck
Cheers
0
 

Author Comment

by:ezg5016
ID: 23176353
Thank you all. I have been away on special project and am revisiting this issue later this afternoon. I will keep you posted
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 166 total points
ID: 23251546
In Concepts&Examples, Volume 5 VPN, there is a configuration example for "Hub-and-Spoke" VPNs. Those are one-main-office-to-many-branches VPN tunnels for communicating in all directions. However, the traffic volume (and therefore performance) is affected. It is appropriate if one of the following is true
  • the branches are that many that a full mesh configuration would not be manageable
  • all traffic has to pass head office, for scanning or logging reasons or whatsoever.
  • the branch office devices are not capable of servicing enough tunnels.
  • inter-branch traffic is not that much and would not justify the configuration overhead for each branch.
If there are only up to 5 sites, I would prefer to use a full mesh configuration - each branch can connect to each other directly.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now