Juniper VPN Site to Site and VPN Client
Hello i need to ask if somebody have this issue or can help me,
I have SSG140 Juniper
Site A - 192.168.100.0/24
Site B - 192.168.200.0/24
IP pool for Site A VPN Dial UP 10.1.1.1 - 10.1.1.254
Site a > Site b are connected also policy are set , in Site A i create and one VPN Dial Up for Local users also this is configured and works i need User when connect to VPN Site A to see also and Network in Site B
PS, if i am in local net i can ping everything on Site B but if i connect from VPN User from other network i can see Site A network but not a Site B
Thanks
I have SSG140 Juniper
Site A - 192.168.100.0/24
Site B - 192.168.200.0/24
IP pool for Site A VPN Dial UP 10.1.1.1 - 10.1.1.254
Site a > Site b are connected also policy are set , in Site A i create and one VPN Dial Up for Local users also this is configured and works i need User when connect to VPN Site A to see also and Network in Site B
PS, if i am in local net i can ping everything on Site B but if i connect from VPN User from other network i can see Site A network but not a Site B
Thanks
ASKER
now i have
Dial-Up VPN Any ANY no traffic with Site A from VPN Client
if
Dial-Up VPN Site A ANY -> I have trafic now with site A from VPN CLient but not with site b there is not same Getaway one Juniper is in New York one is in LA
Dial-Up VPN Any ANY no traffic with Site A from VPN Client
if
Dial-Up VPN Site A ANY -> I have trafic now with site A from VPN CLient but not with site b there is not same Getaway one Juniper is in New York one is in LA
Your missing route statements at site B that say network 10.1.1.0/24 is reachable by the VPN tunnel that connects the two sites. If not return traffic will just go out the internet and bypass the VPN completely.
If using policy based VPN, then the 10.1.1.0/24 network will need to part of the site A to site B VPN policy
If using policy based VPN, then the 10.1.1.0/24 network will need to part of the site A to site B VPN policy
ASKER
I will Provide Policy configuration on Site A
I can ping Site B from Site A also from Site B to site A
when i am connected to site A with VPN Client from other state
I can ping Site A network but Site B i cant i this is what i am looking to fix
set policy id 3 name "Tunnel Trust" from "Trust" to "Untrust" "192.168.100.0/24" "192.168.200.0/24" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 4 log
set policy id 3
exit
set policy id 3
exit
set policy id 4 name "Tunnel Trust" from "Untrust" to "Trust" "192.168.200.0/24" "192.168.100.0/24" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 3 log
set policy id 4
exit
set policy id 4
exit
I can ping Site B from Site A also from Site B to site A
set policy id 5 from "Untrust" to "Trust" "Dial-Up VPN" "192.168.100.0/24" "ANY" tunnel vpn "VPN_Dialup" id 0x3f log
set policy id 5
exit
set policy id 5
exit
when i am connected to site A with VPN Client from other state
I can ping Site A network but Site B i cant i this is what i am looking to fix
Ok, so in policy based VPN for site B, you would need to add 10.1.1.0/24 as one of the destination networks. This would be on the trust-to-untrust policy (matching bidirectional checkbox will take care of untrust-to-trust)
On site A policy based VPN, you need to add 10.1.1.0/24 as a source IP address. This way any traffic originating from the Dialup VPN that targets the network 192.168.200.0/24 will be routed via the VPN.
Hope this clears it up.
On site A policy based VPN, you need to add 10.1.1.0/24 as a source IP address. This way any traffic originating from the Dialup VPN that targets the network 192.168.200.0/24 will be routed via the VPN.
Hope this clears it up.
ASKER
Ok I understand how to add that for site B i will do it but can you explain for Site A i will add as source 10.1.1.0/24 and what about Destination 192.168.200.0/24 should be this ?
For site A you can add 10.1.1.0/24 as a source IP for the VPN policy. So basically you will now have 2 source IPs in the policy for site A. Since there is only one Network you are connecting to on site B, you would leave 192.168.200.0/24 as the destination.
Bascially the way the juniper works, it checks the source and destination IP of the traffic. If both match a policy, that is the poilcy that willbe used. In your case The VPN policy.
Bascially the way the juniper works, it checks the source and destination IP of the traffic. If both match a policy, that is the poilcy that willbe used. In your case The VPN policy.
ASKER
so this is same way i did for Site a to Site b VPN same policy with different IP address i will try this after i added in LA policy and than in NY
Yes that is correct.
ASKER
I did same way but still no ping from VPN Client site to site yes also from local network yes but not from outside with VPN
Did you create new policies or modify the existing ones?
ASKER
i created a new one also i put on top this new one this is IP Pool 10.1.1.0/24 to go outside to site A and Site B i can see Site A but not a site B from VPN Client
can you post a sanitized config? Or at least the output of the command 'get policy'?
First because easy thing to check is to switch on logging in the policy, create traffic, and see if it is logged. Also watch the translated IPs in the log.
Wait - you did not provide a VPN tunnel in the new policies, did you? You can't use the same tunnel in different policies, that gives an error. But you need to.
As said initially by sangamc, you should add the new address to the existing policies. That might break the existing VPN connection, however, as you are modifying the tunnel (the Proxy ID, to be exact).
As said initially by sangamc, you should add the new address to the existing policies. That might break the existing VPN connection, however, as you are modifying the tunnel (the Proxy ID, to be exact).
ASKER
Site A - 192.168.100.0/24
Policy From Trust To Untrust
Source 192.168.100.0/24 > Destination Dial-Up VPN
Source 192.168.100.0/24 > Destination 192.168.200.0/24
Source 10.1.1.0/24 > Destination 192.168.200.0/24
Policy From Untrust To Trust
Source 192.168.200.0/24 > Destination 192.168.100.0/24
Source 192.168.200.0/24 > Destination 10.1.1.0/24
Source Dial-Up VPN > Destination 192.168.100.0/24
VPN Client(i use Shrew for VPN login) is Configured on Site A
IP pool for Site A VPN Dial UP user login - 10.1.1.1 - 10.1.1.254 not set in any interface or DHCP
SITE A to SITE B in Local net with IP range 192.168.100.0 can ping Site B
When i connect to VPN from SHREW i can ping 192.168.100.1 but i cant ping 192.168.200.1
Site B - 192.168.200.0/24
Policy From Trust To Untrust
Source 192.168.200.0/24 > Destination 192.168.100.0/24
Source 192.168.200.0/24 > Destination 10.1.1.0/24
Policy From Untrust To Trust
Source 192.168.100.0/24 > Destination 192.168.200.0/24
Source 10.1.1.0/24 > Destination 192.168.200.0/24
Policy From Trust To Untrust
Source 192.168.100.0/24 > Destination Dial-Up VPN
Source 192.168.100.0/24 > Destination 192.168.200.0/24
Source 10.1.1.0/24 > Destination 192.168.200.0/24
Policy From Untrust To Trust
Source 192.168.200.0/24 > Destination 192.168.100.0/24
Source 192.168.200.0/24 > Destination 10.1.1.0/24
Source Dial-Up VPN > Destination 192.168.100.0/24
VPN Client(i use Shrew for VPN login) is Configured on Site A
IP pool for Site A VPN Dial UP user login - 10.1.1.1 - 10.1.1.254 not set in any interface or DHCP
SITE A to SITE B in Local net with IP range 192.168.100.0 can ping Site B
When i connect to VPN from SHREW i can ping 192.168.100.1 but i cant ping 192.168.200.1
Site B - 192.168.200.0/24
Policy From Trust To Untrust
Source 192.168.200.0/24 > Destination 192.168.100.0/24
Source 192.168.200.0/24 > Destination 10.1.1.0/24
Policy From Untrust To Trust
Source 192.168.100.0/24 > Destination 192.168.200.0/24
Source 10.1.1.0/24 > Destination 192.168.200.0/24
Did you add 192.168.200.0/24 to the available networks in Shrew (Policy tab)?
Each line you posted is an own policy?
ASKER
yes i added too in shrew 2 networks but still nothing
in logs i can see this error
2013-06-28 12:47:44 10.1.1.3:42042 192.168.200.10:1 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied
this is my VPN Client Configuration
set user "VPN_Test_User_aug" type ike
set user "VPN_Test_User_aug" ike-id "itsupport1@test.com" share-limit 250
set user "VPN_Test_User_aug" enable
set user-group "VPN_Test_Group" location local
set user-group "VPN_Test_Group" user "VPN_Test_User_aug"
set ippool "VPN Pool" 10.1.1.1 10.1.1.254
set xauth default auth server "Local"
set xauth default ippool "VPN Pool Test"
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet0/2.1
set ike gateway "Sales" dialup "VPN_Test_Group" aggressive outgoing-interface ethernet0/2.1 preshare "testestetst" proposal "pre-g2-3des-sha"
set ike gateway "Sales" nat-traversal
set ike gateway "Sales" xauth
set vpn "Sales VPN" gateway "Sales" no-replay tunnel proposal "nopfs-esp-3des-sha"
unset vpn "Sales VPN" monitor
set vpn "Sales VPN" bind tunnel.1
set vpn "Sales VPN" proxy-id local-ip 192.168.100.0/24 remote-ip 255.255.255.255/32 any
set address "Untrust" "10.1.1.0/24" 10.1.1.0/24
set address "Trust" "192.168.100.0/24" 192.168.100.0/24
set policy from "Untrust" to "Trust" "10.1.1.0/24" "192.168.100.0/24" "ANY" permit
set policy from "Trust" to "Untrust" "192.168.100.0/24" "10.1.1.0/24" "ANY" permit
set route 10.1.1.0/24 interface tunnel.1
in logs i can see this error
2013-06-28 12:47:44 10.1.1.3:42042 192.168.200.10:1 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied
this is my VPN Client Configuration
set user "VPN_Test_User_aug" type ike
set user "VPN_Test_User_aug" ike-id "itsupport1@test.com" share-limit 250
set user "VPN_Test_User_aug" enable
set user-group "VPN_Test_Group" location local
set user-group "VPN_Test_Group" user "VPN_Test_User_aug"
set ippool "VPN Pool" 10.1.1.1 10.1.1.254
set xauth default auth server "Local"
set xauth default ippool "VPN Pool Test"
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet0/2.1
set ike gateway "Sales" dialup "VPN_Test_Group" aggressive outgoing-interface ethernet0/2.1 preshare "testestetst" proposal "pre-g2-3des-sha"
set ike gateway "Sales" nat-traversal
set ike gateway "Sales" xauth
set vpn "Sales VPN" gateway "Sales" no-replay tunnel proposal "nopfs-esp-3des-sha"
unset vpn "Sales VPN" monitor
set vpn "Sales VPN" bind tunnel.1
set vpn "Sales VPN" proxy-id local-ip 192.168.100.0/24 remote-ip 255.255.255.255/32 any
set address "Untrust" "10.1.1.0/24" 10.1.1.0/24
set address "Trust" "192.168.100.0/24" 192.168.100.0/24
set policy from "Untrust" to "Trust" "10.1.1.0/24" "192.168.100.0/24" "ANY" permit
set policy from "Trust" to "Untrust" "192.168.100.0/24" "10.1.1.0/24" "ANY" permit
set route 10.1.1.0/24 interface tunnel.1
I will have to look into that in more detail, but meanwhile: why are you using a tunnel interface for dial-in?
ASKER
to make it work more than one user for 10 and up i use dial up vpn works with juniper when i login but i cant ping dhe second juniper from vpn when i am connected
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i cant figure it out i will put here cfg
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/2 phy full 100mb
set interface "ethernet0/0" zone "Null"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/2.1" tag 1621 zone "Untrust"
set interface "ethernet0/3" zone "Trust"
set interface "ethernet0/4" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface vlan1 ip 10.5.0.0/24
set interface ethernet0/1 ip 192.168.10.1/24
set interface ethernet0/1 nat
set interface ethernet0/2.1 ip 200.215.164.61/30
set interface ethernet0/2.1 route
set interface ethernet0/3 ip 192.168.1.1/24
set interface ethernet0/3 nat
set interface ethernet0/4 ip 192.168.100.1/24
set interface ethernet0/4 nat
set interface tunnel.1 ip unnumbered interface ethernet0/2.1
set interface ethernet0/2.1 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface vlan1 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2.1 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
set interface ethernet0/2.1 manage ping
set interface ethernet0/2.1 manage telnet
set interface ethernet0/2.1 manage ssl
set interface ethernet0/2.1 manage web
unset interface ethernet0/3 manage ssh
unset interface vlan1 manage ssh
unset interface vlan1 manage telnet
unset interface vlan1 manage ssl
unset interface vlan1 manage web
set interface vlan1 manage mtrace
set auth-server "AD VPN USerr" src-interface "ethernet0/4"
set interface ethernet0/4 vip 192.168.100.241
set interface ethernet0/4 dhcp server service
set interface ethernet0/4 dhcp server enable
set interface ethernet0/4 dhcp server option gateway 192.168.100.1
set interface ethernet0/4 dhcp server option netmask 255.255.255.0
set interface ethernet0/4 dhcp server option dns1 10.120.1.10
set interface ethernet0/4 dhcp server option dns2 146.6.1.122
set interface ethernet0/4 dhcp server option dns3 146.6.100.2
set interface ethernet0/4 dhcp server ip 192.168.100.11 to 192.168.100.199
unset interface ethernet0/4 dhcp server config next-server-ip
set interface vlan1 dhcp relay server-name " 10.1.1.0"
set interface vlan1 dhcp relay server-name "255.255.255.0"
set interface vlan1 dhcp relay vpn
set interface vlan1 dhcp relay service
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" " 10.1.1.0/24" 10.1.1.0 255.255.255.0
set address "Trust" "192.168.200.0/24" 192.168.200.0 255.255.255.0
set address "Trust" "192.168.11.0/24" 192.168.11.0 255.255.255.0
set address "Trust" "192.168.100.0/24" 192.168.100.0 255.255.255.0
set address "Trust" "Site A 192.168.100.0" 192.168.100.0 255.255.255.0
set address "Untrust" " 10.1.1.0/24" 10.1.1.0 255.255.255.0
set address "Untrust" "63.65.164.62/30" 63.65.164.62 255.255.255.252
set address "Untrust" "Site B 192.168.200.0" 192.168.200.0 255.255.255.0
set group service "Server TESTSERVER"
set group service "Server TESTSERVER" add "OpenPorts"
set ippool "VPNPool" 10.1.1.1 10.1.1.254
set user "VPN_Dialup_User" uid 25
set user "VPN_Dialup_User" ike-id u-fqdn "itsupport@testsite.com" share-limit 200
set user "VPN_Dialup_User" type ike
set user "VPN_Dialup_User" "enable"
set user "test" uid 29
set user "test" type xauth
set user "test" password "*************************
unset user "test" type auth
set user "test" "enable"
set user-group "vpnclient_group" id 14
set user-group "vpnclient_group" user "VPN_Dialup_User"
set ike p1-proposal "Conenct1" preshare group2 esp 3des md5 second 28800
set ike gateway "Site b Wan" address 120.156.143.76 Main outgoing-interface "ethernet0/2.1" preshare "*****************" proposal "pre-g2-3des-md5"
set ike gateway "VPN_Dialup_GW" dialup "vpnclient_group" Aggr outgoing-interface "ethernet0/2.1" preshare "***************" proposal "pre-g2-3des-sha"
set ike gateway "VPN_Dialup_GW" dpd-liveness interval 30
set ike gateway "VPN_Dialup_GW" nat-traversal udp-checksum
set ike gateway "VPN_Dialup_GW" nat-traversal keepalive-frequency 5
set ike gateway "VPN_Dialup_GW" xauth
unset ike gateway "VPN_Dialup_GW" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "VPNPool"
set xauth default dns1 192.168.100.1
set vpn "Site A to Site B" gateway "Site b Wan" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "Site A to Site B" monitor
set vpn "VPN_Dialup" gateway "VPN_Dialup_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "VPN_Dialup" monitor
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vpn-group id 12
set vpn-group id 1230
set url protocol websense
exit
set policy id 9 from "Trust" to "Untrust" " 10.1.1.0/24" "Site B 192.168.200.0" "ANY" tunnel vpn "Site A to Site B" id 0x63
set policy id 9
exit
set policy id 8 from "Untrust" to "Trust" "Dial-Up VPN" "192.168.100.0/24" "ANY" tunnel vpn "VPN_Dialup" id 0x62
set policy id 8
exit
set policy id 3 name "Tunnel Trust Link" from "Trust" to "Untrust" "192.168.100.0/24" "Site B 192.168.200.0" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 4 log
set policy id 3
exit
set policy id 4 name "Tunnel Trust Link" from "Untrust" to "Trust" "Site B 192.168.200.0" "192.168.100.0/24" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 3 log
set policy id 4
exit
set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2.1 gateway 200.215.164.21
set route 0.0.0.0/0 interface ethernet0/0 gateway 200.215.164.21
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/2 phy full 100mb
set interface "ethernet0/0" zone "Null"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/2.1" tag 1621 zone "Untrust"
set interface "ethernet0/3" zone "Trust"
set interface "ethernet0/4" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface vlan1 ip 10.5.0.0/24
set interface ethernet0/1 ip 192.168.10.1/24
set interface ethernet0/1 nat
set interface ethernet0/2.1 ip 200.215.164.61/30
set interface ethernet0/2.1 route
set interface ethernet0/3 ip 192.168.1.1/24
set interface ethernet0/3 nat
set interface ethernet0/4 ip 192.168.100.1/24
set interface ethernet0/4 nat
set interface tunnel.1 ip unnumbered interface ethernet0/2.1
set interface ethernet0/2.1 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface vlan1 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2.1 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
set interface ethernet0/2.1 manage ping
set interface ethernet0/2.1 manage telnet
set interface ethernet0/2.1 manage ssl
set interface ethernet0/2.1 manage web
unset interface ethernet0/3 manage ssh
unset interface vlan1 manage ssh
unset interface vlan1 manage telnet
unset interface vlan1 manage ssl
unset interface vlan1 manage web
set interface vlan1 manage mtrace
set auth-server "AD VPN USerr" src-interface "ethernet0/4"
set interface ethernet0/4 vip 192.168.100.241
set interface ethernet0/4 dhcp server service
set interface ethernet0/4 dhcp server enable
set interface ethernet0/4 dhcp server option gateway 192.168.100.1
set interface ethernet0/4 dhcp server option netmask 255.255.255.0
set interface ethernet0/4 dhcp server option dns1 10.120.1.10
set interface ethernet0/4 dhcp server option dns2 146.6.1.122
set interface ethernet0/4 dhcp server option dns3 146.6.100.2
set interface ethernet0/4 dhcp server ip 192.168.100.11 to 192.168.100.199
unset interface ethernet0/4 dhcp server config next-server-ip
set interface vlan1 dhcp relay server-name " 10.1.1.0"
set interface vlan1 dhcp relay server-name "255.255.255.0"
set interface vlan1 dhcp relay vpn
set interface vlan1 dhcp relay service
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" " 10.1.1.0/24" 10.1.1.0 255.255.255.0
set address "Trust" "192.168.200.0/24" 192.168.200.0 255.255.255.0
set address "Trust" "192.168.11.0/24" 192.168.11.0 255.255.255.0
set address "Trust" "192.168.100.0/24" 192.168.100.0 255.255.255.0
set address "Trust" "Site A 192.168.100.0" 192.168.100.0 255.255.255.0
set address "Untrust" " 10.1.1.0/24" 10.1.1.0 255.255.255.0
set address "Untrust" "63.65.164.62/30" 63.65.164.62 255.255.255.252
set address "Untrust" "Site B 192.168.200.0" 192.168.200.0 255.255.255.0
set group service "Server TESTSERVER"
set group service "Server TESTSERVER" add "OpenPorts"
set ippool "VPNPool" 10.1.1.1 10.1.1.254
set user "VPN_Dialup_User" uid 25
set user "VPN_Dialup_User" ike-id u-fqdn "itsupport@testsite.com" share-limit 200
set user "VPN_Dialup_User" type ike
set user "VPN_Dialup_User" "enable"
set user "test" uid 29
set user "test" type xauth
set user "test" password "*************************
unset user "test" type auth
set user "test" "enable"
set user-group "vpnclient_group" id 14
set user-group "vpnclient_group" user "VPN_Dialup_User"
set ike p1-proposal "Conenct1" preshare group2 esp 3des md5 second 28800
set ike gateway "Site b Wan" address 120.156.143.76 Main outgoing-interface "ethernet0/2.1" preshare "*****************" proposal "pre-g2-3des-md5"
set ike gateway "VPN_Dialup_GW" dialup "vpnclient_group" Aggr outgoing-interface "ethernet0/2.1" preshare "***************" proposal "pre-g2-3des-sha"
set ike gateway "VPN_Dialup_GW" dpd-liveness interval 30
set ike gateway "VPN_Dialup_GW" nat-traversal udp-checksum
set ike gateway "VPN_Dialup_GW" nat-traversal keepalive-frequency 5
set ike gateway "VPN_Dialup_GW" xauth
unset ike gateway "VPN_Dialup_GW" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "VPNPool"
set xauth default dns1 192.168.100.1
set vpn "Site A to Site B" gateway "Site b Wan" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "Site A to Site B" monitor
set vpn "VPN_Dialup" gateway "VPN_Dialup_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "VPN_Dialup" monitor
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vpn-group id 12
set vpn-group id 1230
set url protocol websense
exit
set policy id 9 from "Trust" to "Untrust" " 10.1.1.0/24" "Site B 192.168.200.0" "ANY" tunnel vpn "Site A to Site B" id 0x63
set policy id 9
exit
set policy id 8 from "Untrust" to "Trust" "Dial-Up VPN" "192.168.100.0/24" "ANY" tunnel vpn "VPN_Dialup" id 0x62
set policy id 8
exit
set policy id 3 name "Tunnel Trust Link" from "Trust" to "Untrust" "192.168.100.0/24" "Site B 192.168.200.0" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 4 log
set policy id 3
exit
set policy id 4 name "Tunnel Trust Link" from "Untrust" to "Trust" "Site B 192.168.200.0" "192.168.100.0/24" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 3 log
set policy id 4
exit
set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2.1 gateway 200.215.164.21
set route 0.0.0.0/0 interface ethernet0/0 gateway 200.215.164.21
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ASKER
Perfect idea worked everything
Of course the VPN client's config needs to allow and redirect traffic for 192.168.200.x to go thru the VPN tunnel.