SW111
asked on
URGENT: Junpier SSG20 VPN Connection problem
I'm having a problem setting up a route based site-to-site vpn connection between s juniper ssg20.
My network vendor who sold me the 2 units is evidently too busy to figure out how to fix the problem. He is also still learning how to setup the units.
Here is the problem:
I followed the manual that comes in the CD almost to the letter. (page 97-102). The problem is either one site can ping the other site or the other way around. We've never managed to get the 2 sites to ping one another. Status report actually says that VPN connection is up.
My suspicion is on the fact that my network guy insist that the routing entries on both devices must be made on the "untrust-vr" section. But it doesnt work. If we do this, then Branch office can ping the HQ but not the other way around.
The manual (which I've tried) says to put the routing entries on the "trust-vr" section. Which will allow HQ to ping Branch but not the other way around.
I suspect the problem might be because the internet zone is setup as "ISP-NAME (untrust-vr)". The manual seems to refer the internet zone as "Untrust (trust-vr)". Therefore my first question is: should internet zone be in untrust-vr or trust-vr? I assume the "Untrust" part is just a name to indicate that this zone is an Untrust zone within the trust-vr?
Second thing is that: On the HQ device he has multiple 0.0.0.0/0 entries in both untrust-vr and trust-vr. These entries seem to point to the internet gateway. One entry in trust-vr seems to be the one that is allowing HQ to ping branch and cause the vpn to work.
But then again, when we set all entries on untrust-vr, branch can ping hq, only not the other way around.
Can someone please explain to me what is going on? I wasn't expecting to be met with so much issues.
Thank You.
Btw, I'd appreciate it if your help could be SSG specific. I'm sure there are many similarities with other brands, but I'm not knowledgeable enough to find or understand them.
My network vendor who sold me the 2 units is evidently too busy to figure out how to fix the problem. He is also still learning how to setup the units.
Here is the problem:
I followed the manual that comes in the CD almost to the letter. (page 97-102). The problem is either one site can ping the other site or the other way around. We've never managed to get the 2 sites to ping one another. Status report actually says that VPN connection is up.
My suspicion is on the fact that my network guy insist that the routing entries on both devices must be made on the "untrust-vr" section. But it doesnt work. If we do this, then Branch office can ping the HQ but not the other way around.
The manual (which I've tried) says to put the routing entries on the "trust-vr" section. Which will allow HQ to ping Branch but not the other way around.
I suspect the problem might be because the internet zone is setup as "ISP-NAME (untrust-vr)". The manual seems to refer the internet zone as "Untrust (trust-vr)". Therefore my first question is: should internet zone be in untrust-vr or trust-vr? I assume the "Untrust" part is just a name to indicate that this zone is an Untrust zone within the trust-vr?
Second thing is that: On the HQ device he has multiple 0.0.0.0/0 entries in both untrust-vr and trust-vr. These entries seem to point to the internet gateway. One entry in trust-vr seems to be the one that is allowing HQ to ping branch and cause the vpn to work.
But then again, when we set all entries on untrust-vr, branch can ping hq, only not the other way around.
Can someone please explain to me what is going on? I wasn't expecting to be met with so much issues.
Thank You.
Btw, I'd appreciate it if your help could be SSG specific. I'm sure there are many similarities with other brands, but I'm not knowledgeable enough to find or understand them.
ASKER
Hi Deimark,
appreciate your help. You've helped me in the past and I'm grateful for your help.
That being said.... sending the configs of both units is a bit risky....
perhaps there are some particulars that I can look up for you?
Please dont misunderstood. I don't mean to be difficult. It's just that it was why we needed a juniper in the first place.... so it doesn't seem to be my best option. Sorry.
appreciate your help. You've helped me in the past and I'm grateful for your help.
That being said.... sending the configs of both units is a bit risky....
perhaps there are some particulars that I can look up for you?
Please dont misunderstood. I don't mean to be difficult. It's just that it was why we needed a juniper in the first place.... so it doesn't seem to be my best option. Sorry.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Deimark,
So at last my network guy found time to sort out the issue. The solution, according to him, is to simply create a route like this on the HQ site:
in HQ trrust-vr, create a route to untrust: Branch-Trust-LAN.
And it seems to work.
I still don't understand why he's doing it differently than the manual (putting internet connection) on untrust-vr instead of trust-vr, which I think complicates matter. I hope I can give you a better picture of the whole setup but his cloak and dagger approach is confusing me (and I think himself) when we needed to refer to the manual.
So at last my network guy found time to sort out the issue. The solution, according to him, is to simply create a route like this on the HQ site:
in HQ trrust-vr, create a route to untrust: Branch-Trust-LAN.
And it seems to work.
I still don't understand why he's doing it differently than the manual (putting internet connection) on untrust-vr instead of trust-vr, which I think complicates matter. I hope I can give you a better picture of the whole setup but his cloak and dagger approach is confusing me (and I think himself) when we needed to refer to the manual.
Gld its resolved bud.
The use of multiple VRs is quite a useful tool we can use to split the network up and also run multiple routing protocols on the same box without them conflicting, ie run BGP on the untrust-vr (conncted to the internet) and OSPF on the trust-vr, connected to your own nets. As well adding an extra layer of control by limiting the traffic that can pass between the VRs.
Anyways, glad I could help bud
DM
The use of multiple VRs is quite a useful tool we can use to split the network up and also run multiple routing protocols on the same box without them conflicting, ie run BGP on the untrust-vr (conncted to the internet) and OSPF on the trust-vr, connected to your own nets. As well adding an extra layer of control by limiting the traffic that can pass between the VRs.
Anyways, glad I could help bud
DM
TO allow me to best help here, can you copy in the configs for both units please?
I suspect that there is some form of inconsistency with the instructions you are following here but for most situations, the use of 1 VR, namely, the trust VR is fine. As for multiple routes of 0.0.0.0/0, the system will use them all in a round robin scenario so to keep things simple (unless you MUST use 2 default routes), delete all the non essential routes and leave the main one on its own.
With the configs, I will be able to add more details