?
Solved

Site to Site VPN between 2 juniper ssg20's

Posted on 2009-04-16
15
Medium Priority
?
1,391 Views
Last Modified: 2013-11-16
Hi Experts
I want to setup a site to site vpn on my Juniper SSG20 i have 2 devices 1 at each office. The internet connections are static IP's. I want to use the web based CLI to set this up. Surely this can be done via me just logging into the remote juniper over the internet. or locally through the network in the country. I don;t want to do command line as there is not cable conencted to do this. Any help would be appreciated. I have a good understanding of the setup just think im a couple of tricks away from getting it working.

0
Comment
Question by:flowit
  • 8
  • 7
15 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 24156326
Have a look at this bud

http://kb.juniper.net/index?page=content&id=KB7739&actp=search&searchid=1239880142745

Also, the CLI is a very useful tool and can aid troubleshooting and config.

Note, you dont always need a console connection for the CLI, just an SSH client and SSH enabled on the device.

HTH
0
 

Author Comment

by:flowit
ID: 24157986
Hi thanks for this i have set the VPN up at the local site and the remote.
It still would not work so i altered the policy for any address on both ends this brought the tunnel up. All though i could still not ping the others site. After i created this bi directional tunnel i was no longer able to login remotely to the site with a custome web based remote control software we use. After removing the policy it started to work again.

I have on subnet at site a on 10.6.40.x
and site b is also 10.6.41..o

one of my shelpnet masks is 8 and the other is 24!!!
Please help
0
 
LVL 18

Expert Comment

by:deimark
ID: 24158366
I would say that the subnet issue is causing some of these issues and would be better if we fixed that to see if it corrected the other problems.

Basically, as we have 2 nets that overlap, namely one of them as a a /8, ie 10.0.0.0/8 and another as a /24, namely 10.6.41.0/24 (as an example)

The /24 overlaps with the bigger /8 and is likely to be causing some issues with regards to anti spoofing etc.

So first of all, can the /8 be renumbered a /24?  As using a /8 netmask does severely limit the addresses other firewalls can use for their own nets at the end of VPNs (which is likely to be why the VPN policy failed and you had to change it to "any"
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 

Author Comment

by:flowit
ID: 24158452
I knew it was something to do with that no idea why it's /8 the other site is /24 and eventually i want them on the same domain. I will see how much this would affect if i try to change it
I will need to change the server and the clients etc as well as the juniper

0
 

Author Comment

by:flowit
ID: 24158507
can i not use 10.6.41/24 and 10.6.40/24
0
 
LVL 18

Expert Comment

by:deimark
ID: 24158584
yup, thats what I was aiming at bud.

Just renumbering the /8 side to use /24 would certainly help a lot
0
 

Author Comment

by:flowit
ID: 24158929
Ok ive changed the SSG 20 on the LAN side to /24 255.255.255.0
and reconfigured the DC clients will just come in tomorrow and get fresh IP address from DHCP i hope i have not missed anything getting late in the day.

0
 
LVL 18

Expert Comment

by:deimark
ID: 24158971
Hehe, no worries bud, let us know how it goes
0
 

Author Comment

by:flowit
ID: 24159003
Had to sort the DHCP scope out which uses the mask so deleted old one and recreated it as the users have gone home now.
0
 

Author Comment

by:flowit
ID: 24159267
Ok both sites now have /24 and i have configured my policy like so

trust to untrust on site a trust being 10.6.41.0 /24 to untrust 10.6.40.0 /24 and it's a bi directional tunnel with position at top enabled what is that by the way? i have done the same on the other SSG20 swapping the settings accordingly

0
 
LVL 18

Expert Comment

by:deimark
ID: 24159682
I take it when you created the VPN you used a policy based VPN, ie in the policy rule, you have an action of tunnel?

If yes, then this is the basic way to set up a VPN and specifying that all traffic from net 1 to net 2 will be encrypted and sent over the appropriate tunnel as specified.

As this is done via a policy, its only 1 way, hence, we need the other rule to encrypt the return traffic.

The "position at top" is just a handy button to make sure the rule is added at the top, as by default, any new rule is added to the bottom and then may get "hidden" or overruled by rules above it.

So has the VPN now came up then?  Is everything working as it should?
0
 

Author Comment

by:flowit
ID: 24166153
no vpn wont come up unless i put address details for the rule as any
when using 10.6.40.0 /24  for one end the other is 10.6.41.0 /24
source ip network is the one i am connected to right and dest the other end bi directional used

0
 
LVL 18

Accepted Solution

by:
deimark earned 2000 total points
ID: 24166488
Can you send us a copy of your config from both ends please?  I need to confirm exactly how you have the VPN set up and then I can suggest a possible solution.
0
 

Author Comment

by:flowit
ID: 24168956
hey
It's up cheers for the help pal
0
 
LVL 18

Expert Comment

by:deimark
ID: 24169028
Hehe, no worries bud, glad I could help.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question