I'm having a problem setting up a route based site-to-site vpn connection between s juniper ssg20.
My network vendor who sold me the 2 units is evidently too busy to figure out how to fix the problem. He is also still learning how to setup the units.
Here is the problem:
I followed the manual that comes in the CD almost to the letter. (page 97-102). The problem is either one site can ping the other site or the other way around. We've never managed to get the 2 sites to ping one another. Status report actually says that VPN connection is up.
My suspicion is on the fact that my network guy insist that the routing entries on both devices must be made on the "untrust-vr" section. But it doesnt work. If we do this, then Branch office can ping the HQ but not the other way around.
The manual (which I've tried) says to put the routing entries on the "trust-vr" section. Which will allow HQ to ping Branch but not the other way around.
I suspect the problem might be because the internet zone is setup as "ISP-NAME (untrust-vr)". The manual seems to refer the internet zone as "Untrust (trust-vr)". Therefore my first question is: should internet zone be in untrust-vr or trust-vr? I assume the "Untrust" part is just a name to indicate that this zone is an Untrust zone within the trust-vr?
Second thing is that: On the HQ device he has multiple 0.0.0.0/0 entries in both untrust-vr and trust-vr. These entries seem to point to the internet gateway. One entry in trust-vr seems to be the one that is allowing HQ to ping branch and cause the vpn to work.
But then again, when we set all entries on untrust-vr, branch can ping hq, only not the other way around.
Can someone please explain to me what is going on? I wasn't expecting to be met with so much issues.
Btw, I'd appreciate it if your help could be SSG specific. I'm sure there are many similarities with other brands, but I'm not knowledgeable enough to find or understand them.