Site to Site VPN between 2 juniper ssg20's

Hi Experts
I want to setup a site to site vpn on my Juniper SSG20 i have 2 devices 1 at each office. The internet connections are static IP's. I want to use the web based CLI to set this up. Surely this can be done via me just logging into the remote juniper over the internet. or locally through the network in the country. I don;t want to do command line as there is not cable conencted to do this. Any help would be appreciated. I have a good understanding of the setup just think im a couple of tricks away from getting it working.

flowitAsked:
Who is Participating?
 
deimarkCommented:
Can you send us a copy of your config from both ends please?  I need to confirm exactly how you have the VPN set up and then I can suggest a possible solution.
0
 
deimarkCommented:
Have a look at this bud

http://kb.juniper.net/index?page=content&id=KB7739&actp=search&searchid=1239880142745

Also, the CLI is a very useful tool and can aid troubleshooting and config.

Note, you dont always need a console connection for the CLI, just an SSH client and SSH enabled on the device.

HTH
0
 
flowitAuthor Commented:
Hi thanks for this i have set the VPN up at the local site and the remote.
It still would not work so i altered the policy for any address on both ends this brought the tunnel up. All though i could still not ping the others site. After i created this bi directional tunnel i was no longer able to login remotely to the site with a custome web based remote control software we use. After removing the policy it started to work again.

I have on subnet at site a on 10.6.40.x
and site b is also 10.6.41..o

one of my shelpnet masks is 8 and the other is 24!!!
Please help
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
deimarkCommented:
I would say that the subnet issue is causing some of these issues and would be better if we fixed that to see if it corrected the other problems.

Basically, as we have 2 nets that overlap, namely one of them as a a /8, ie 10.0.0.0/8 and another as a /24, namely 10.6.41.0/24 (as an example)

The /24 overlaps with the bigger /8 and is likely to be causing some issues with regards to anti spoofing etc.

So first of all, can the /8 be renumbered a /24?  As using a /8 netmask does severely limit the addresses other firewalls can use for their own nets at the end of VPNs (which is likely to be why the VPN policy failed and you had to change it to "any"
0
 
flowitAuthor Commented:
I knew it was something to do with that no idea why it's /8 the other site is /24 and eventually i want them on the same domain. I will see how much this would affect if i try to change it
I will need to change the server and the clients etc as well as the juniper

0
 
flowitAuthor Commented:
can i not use 10.6.41/24 and 10.6.40/24
0
 
deimarkCommented:
yup, thats what I was aiming at bud.

Just renumbering the /8 side to use /24 would certainly help a lot
0
 
flowitAuthor Commented:
Ok ive changed the SSG 20 on the LAN side to /24 255.255.255.0
and reconfigured the DC clients will just come in tomorrow and get fresh IP address from DHCP i hope i have not missed anything getting late in the day.

0
 
deimarkCommented:
Hehe, no worries bud, let us know how it goes
0
 
flowitAuthor Commented:
Had to sort the DHCP scope out which uses the mask so deleted old one and recreated it as the users have gone home now.
0
 
flowitAuthor Commented:
Ok both sites now have /24 and i have configured my policy like so

trust to untrust on site a trust being 10.6.41.0 /24 to untrust 10.6.40.0 /24 and it's a bi directional tunnel with position at top enabled what is that by the way? i have done the same on the other SSG20 swapping the settings accordingly

0
 
deimarkCommented:
I take it when you created the VPN you used a policy based VPN, ie in the policy rule, you have an action of tunnel?

If yes, then this is the basic way to set up a VPN and specifying that all traffic from net 1 to net 2 will be encrypted and sent over the appropriate tunnel as specified.

As this is done via a policy, its only 1 way, hence, we need the other rule to encrypt the return traffic.

The "position at top" is just a handy button to make sure the rule is added at the top, as by default, any new rule is added to the bottom and then may get "hidden" or overruled by rules above it.

So has the VPN now came up then?  Is everything working as it should?
0
 
flowitAuthor Commented:
no vpn wont come up unless i put address details for the rule as any
when using 10.6.40.0 /24  for one end the other is 10.6.41.0 /24
source ip network is the one i am connected to right and dest the other end bi directional used

0
 
flowitAuthor Commented:
hey
It's up cheers for the help pal
0
 
deimarkCommented:
Hehe, no worries bud, glad I could help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.