URGENT: Junpier SSG20 VPN Connection problem

I'm having a problem setting up a route based site-to-site vpn connection between s juniper ssg20.

My network vendor who sold me the 2 units is evidently too busy to figure out how to fix the problem. He is also still learning how to setup the units.

Here is the problem:

I followed the manual that comes in the CD almost to the letter. (page 97-102). The problem is either one site can ping the other site or the other way around. We've never managed to get the 2 sites to ping one another. Status report actually says that VPN connection is up.

My suspicion is on the fact that my network guy insist that the routing entries on both devices must be made on the "untrust-vr" section. But it doesnt work. If we do this, then Branch office can ping the HQ but not the other way around.

The manual (which I've tried) says to put the routing entries on the "trust-vr" section. Which will allow HQ to ping Branch but not the other way around.

I suspect the problem might be because the internet zone is setup as "ISP-NAME (untrust-vr)". The manual seems to refer the internet zone as "Untrust (trust-vr)". Therefore my first question is: should internet zone be in untrust-vr or trust-vr? I assume the "Untrust" part is just a name to indicate that this zone is an Untrust zone within the trust-vr?

Second thing is that: On the HQ device he has multiple entries in both untrust-vr and trust-vr. These entries seem to point to the internet gateway. One entry in trust-vr seems to be the one that is allowing HQ to ping branch and cause the vpn to work.
But then again, when we set all entries on untrust-vr, branch can ping hq, only not the other way around.

Can someone please explain to me what is going on? I wasn't  expecting to be met with so much issues.

Thank You.

Btw, I'd appreciate it if your help could be SSG specific. I'm sure there are many similarities with other brands, but I'm not knowledgeable enough to find or understand them.
Who is Participating?
deimarkConnect With a Mentor Commented:
fair enough bud, but I will need to know the zone info, virtual router details, VPN and route info.

I can appreciate that you are unwilling to post config details here, I wouldnt post either hehe.

But have a look at the following article bud, http://kb.juniper.net/KB8533

It gives quite a good idea on how to configure different route based VPNs and you may be able to see what config the original doc was trying to action and then correct the mistakes.

From what you have said here, it seems to be a route based VPN you are setting up, is that correct?

TO allow me to best help here, can you copy in the configs for both units please?

I suspect that there is some form of inconsistency with the instructions you are following here but for most situations, the use of 1 VR, namely, the trust VR is fine.  As for multiple routes of, the system will use them all in a round robin scenario so to keep things simple (unless you MUST use 2 default routes), delete all the non essential routes and leave the main one on its own.

With the configs, I will be able to add more details
SW111Author Commented:
Hi Deimark,

appreciate your help. You've helped me in the past and I'm grateful for your help.
That being said.... sending the configs of both units is a bit risky....
perhaps there are some particulars that I can look up for you?

Please dont misunderstood. I don't mean to be difficult. It's just that it was why we needed a juniper in the first place.... so it doesn't seem to be my best option. Sorry.
SW111Author Commented:
Hi Deimark,
So at last my network guy found time to sort out the issue. The solution, according to him, is to simply create a route like this on the HQ site:
in HQ trrust-vr, create a route to untrust: Branch-Trust-LAN.

And it seems to work.
I still don't understand why he's doing it differently than the manual (putting internet connection) on untrust-vr instead of trust-vr, which I think complicates matter. I hope I can give you a better picture of the whole setup but his cloak and dagger approach is confusing me (and I think himself) when we needed to refer to the manual.
Gld its resolved bud.

The use of multiple VRs is quite a useful tool we can use to split the network up and also run multiple routing protocols on the same box without them conflicting, ie run BGP on the untrust-vr (conncted to the internet) and OSPF on the trust-vr, connected to your own nets.  As well adding an extra layer of control by limiting the traffic that can pass between the VRs.

Anyways, glad I could help bud

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.