[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN Set up on Juniper SSG 20

Posted on 2009-04-24
22
Medium Priority
?
1,677 Views
Last Modified: 2012-05-06
We need to set up a vpn connection between our office and a remote site

We have a SBS 2003 network (using a single network card) with an OpenVMS server within this network
Our SSG20 has an adsl PIMM installed
We need the OpenVMS server to connect to the remote site in both directions

Our network IP range is 10.x.x.x/24
The OpenVMS server address is 10.x.x.150
The adsl 0/1 gateway is 81.x.x.61
The router/ethernet address is 10.x.x.70

The remote site details are
Network IP range is 192.x.234.0/25
database server address is 192.x.234.7
Gateway 213.x.x.4

We have been allocated the following
VPN subnet 192.x.236.112/29
Nat address for our OpenVMS server is 192.x.236.118

Address 192.x.236.118 needs to be mapped to the 10.x.x.150 address and then subsequently connect to the remote site via vpn

If any further information is required please ask

Any assistance would be greatly appreciated
0
Comment
Question by:MahargNala
  • 12
  • 9
22 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 24223764
First of all, the below link should help you with any config or troubleshooting questions here.

http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm

I think I understand what you want here, ie a vpn to another site with the host at 10.x.x.150 hidden behind 192.x.236.118

Can you tell us what the VPN end point on the other side is?  Ie another juniper, a cisco, Check Point etc?

Also, can you tell us why you have to hide the openvms server behind that address?  What is the VPN network likley to be used for here?

Normally, a VPN will allow traffic from 2 LANs to travel encrypted through the internet to the other side, ie 10.x.x.x/24 can talk to 192.x.234.0/25 (and vice versa) through the tunnel.  Normally, no natting or IP hiding is used.

So, can you clarify a little of the reasoning behind your requirements as it may assist in suggesting the most suited solution.
0
 

Author Comment

by:MahargNala
ID: 24224025
Hi Deimark

First of all thank you for your very prompt response

Yes you are correct in your assumption regarding the 10.x.x.150 behind 192.x.236.118

The remote VPN point is a Netscreen

The remote site also use a 10.x.x.x range for their local network but the 192 range is used for their support services to external clients

The VPN is being used for - file updates and support issues

I hope this is sufficent if not please advise and we will try to get more info for you
0
 
LVL 18

Expert Comment

by:deimark
ID: 24224157
OK, that makes a bit more sense.

So, the main reasoning is that there is the same addressing scheme being used at each end, and if we don't nat, then there will be problems.

Is the OpenVMS the only device thats likely to talk to the remote network?  Or is there a chance that other nodes on the network will need to gain access as well?  The reason I ask is that some form of natting will need to get done on all nodes that need to access the remote net.

OK, well what we could do is as follows:

1.  Set up a route based VPN between the 2 Junipers - Ensure that Nat traversal is turned on!!!!
2.  On your trust interface, create a secondary IP of 192.x.236.118
3.  Create a DIP on that interface using the same IP of 192.x.236.118
4.  For out going traffic from OpenVMS to the remote lan host, create a src nat policy as follows

From trust to untrust, from OpenVMS to remote server (you will need to create the object), permit and log.
On the advanced section, select the src nat section and use the DIP created in 3.

This should translate the server to the required IP of 192.x.236.118 and with a destination address of the DB server of 192.x.234.7, the packets will get sent to the tunnel interface created in 1 and encrypted.

If you need to accept traffic to the server on your net from the remote net, then an incoming nat dest rule needs to be created,

HTH
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:MahargNala
ID: 24225178
Thanks for the info

With regard to your question "Is the OpenVMS the only device thats likely to talk to the remote network?" - yes it is

We have been following the above instructions and we find that other users (on the local 10.x.x.x range)are being logged off - we use a terminal emulator to connect to 10.x.x.150 locally

Do you have any notes that would give step by step instructions to set up each section to make sure we are not miss typing anything?

 Thanks
0
 
LVL 18

Expert Comment

by:deimark
ID: 24225276
I would have a look at the Juniper docs for more details on the specific implementation of nat etc.

www.juniper.net/techpubs

Go to screenos and select teh version you are running.

If the steps above affect other users, then limit the NAT policies and VPN access if required.
0
 

Author Comment

by:MahargNala
ID: 24225327
What speed!

Thanks I will look into that and report back shortly (but not as quick as you I guess)
0
 
LVL 18

Expert Comment

by:deimark
ID: 24225367
Hehe, its Friday....

Not too busy at work :D
0
 

Author Comment

by:MahargNala
ID: 24225808
Quick question

We are looking at the instructions (v6.2.0) Vol. 5 page 87 which shows route based site to site vpn Auto Key IKE

We are getting a bit confused with the relevant IP address could you edit the IP addresses for us taking the "Tokyo" site as us and the "Paris" site as the remote

Or are we looking at the wrong instructions - I am starting to feel really stupid now
0
 
LVL 18

Accepted Solution

by:
deimark earned 2000 total points
ID: 24225990
OK, as below (btw, the page is 99 in the doc for 6.2 I have :P):

Our network IP range is 10.x.x.x/24
The OpenVMS server address is 10.x.x.150
The adsl 0/1 gateway is 81.x.x.61
The router/ethernet address is 10.x.x.70

The remote site details are
Network IP range is 192.x.234.0/25
database server address is 192.x.234.7
Gateway 213.x.x.4

Create tunnel interface and route for VPN
=================================
create a new tunnel IF, unnumbered (borrowing IP from the DSL interface)
create new route under Network > Routing > Destination > add
create a route for 192.x.234.0/25 to go via tunnel.1 (as created above)

Set up the VPN
============

Create ike GW (phase 1) for the remote peer and use its external IP of  213.x.x.4

Create autokey IKE using the IKE GW above.  NOTE select the option to bind to tunnel interface!!!


Allow valid traffic via security policy (and NAT)
======================================

Create the rules as before, only specifying the private addresses, ie the correct directions, hosts and NAT as per DIP info previous

NOTE:
#####

As the policy based VPN does not use a proxy ID by default, the other side NEEDs to have a proxy ID that matches too.

Does thi  help any?
0
 

Author Comment

by:MahargNala
ID: 24226154
I see that you are looking at the "Policy based vpn" as opposed to the "Route based" you mentioned in your previous message
0
 
LVL 18

Expert Comment

by:deimark
ID: 24226203
Nope, route based VPN.

We may have slightly different versions here then, but mine is on p99 figure 32.

Note: I am using a previously downlaoded complete version for Release 6.2.0, Rev. 01, so there may be a few differences in page numberings, but the essence of the text (especially for this concept) will be the same.

0
 

Author Comment

by:MahargNala
ID: 24226609
Tunnel created

vpn between sites created

Secondary IP 192.x.236.118/32 set up

We are not sure about the DIP - should it be IP shift from 192.x.236.118 to 10.x.x.150 ~ 10.x.x.150 followed by "in same subnet

Also correct settings for the policies

I know we are asking at a basic level but our brains are turning to mush
0
 
LVL 18

Expert Comment

by:deimark
ID: 24226845
Create as plain port xlate bud.
0
 

Author Comment

by:MahargNala
ID: 24226958
Quick question

Is DIP working if we have DHCP turned off on the router (we run DHCP from SBS 2003)
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 24227073
DIP is working without DHCP (they are not related)
0
 

Author Comment

by:MahargNala
ID: 24227092
Thanks
0
 

Author Comment

by:MahargNala
ID: 24227204
If we run trace route via the command line from PC 10.x.x.22 it completes to remote gateway

If we run the same traceroute via the command line from OpenVMS 10.x.x.150 it fails on the last step

Would it be an idea to send you a chart with what we need to achieve?
0
 
LVL 18

Expert Comment

by:deimark
ID: 24227780
Possibly

I would also send us the output of the trace commands from both the firewall and hosts.

Note you can test a VPN by sending a ping from the inside interface, ie ping x.x.x.x from trust
0
 

Author Comment

by:MahargNala
ID: 24240274
Hi

sorry about taking so long to get back to you

I have been in contact with the remote site guys and they are checking to see if everything is okay on their side

I think that we have our side correct and there may be a small error in the "handshake" security which they will check today

I will keep you posted

Thanks again for your kind assistance
0
 

Author Comment

by:MahargNala
ID: 24240575
Hi Deimark

We have it sorted!!

the final link to the chain was the Proxy ID at the remote site which they failed to provide us with

We followed your excellent instructions however we added a MIP in the tunnel interface instead of the "Dip" in the trust interface

Thanks for all your help it is greatly appreciated

MahargNala
0
 

Author Closing Comment

by:MahargNala
ID: 31574161
Thanks, you are a pleasure to deal with
0
 
LVL 18

Expert Comment

by:deimark
ID: 24240633
No worries bud, glad to be of assistance here. :P
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question