Solved

Juniper VPN Site to Site and VPN Client

Posted on 2013-06-26
24
1,043 Views
Last Modified: 2013-07-12
Hello i need to ask if somebody have this issue or can help me,

I have SSG140 Juniper

Site A - 192.168.100.0/24

Site B - 192.168.200.0/24

IP pool for Site A VPN Dial UP 10.1.1.1 - 10.1.1.254

Site a > Site b are connected also policy are set , in Site A i create and one VPN Dial Up for Local users also this is configured and works i need User when connect to VPN Site A to see also and Network in Site B

PS, if i am in local net i can ping everything on Site B but if i connect from VPN User from other network i can see Site A network but not a Site B

Thanks
0
Comment
Question by:Drilon Berisha
  • 11
  • 8
  • 5
24 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
If connected thru VPN, your traffic goes from Untrust to Trust. You'll have to make sure:
The VPN dial-in policy is set to allow "any" target, not only Site A.
The A->B tunnel allows traffic for the Dial-in VPN pool.
Assuming the Junipers on both ends are default gateways for their site, that should do.
Of course the VPN client's config needs to allow and redirect traffic for 192.168.200.x to go thru the VPN tunnel.
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
now i have

Dial-Up VPN      Any      ANY no traffic with Site A from VPN Client

if

Dial-Up VPN      Site A  ANY -> I have trafic now with site A from VPN CLient but not with site b there is not same Getaway one Juniper is in New York one is in LA
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Your missing route statements at site B that say network 10.1.1.0/24 is reachable by the VPN tunnel that connects the two sites. If not return traffic will just go out the internet and bypass the VPN completely.

If using policy based VPN, then the 10.1.1.0/24 network will need to part of the site A to site B VPN policy
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
I will Provide Policy configuration on Site A

set policy id 3 name "Tunnel Trust" from "Trust" to "Untrust"  "192.168.100.0/24" "192.168.200.0/24" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 4 log
set policy id 3
exit


set policy id 4 name "Tunnel Trust" from "Untrust" to "Trust"  "192.168.200.0/24" "192.168.100.0/24" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 3 log
set policy id 4
exit

I can ping Site B from Site A also from Site B to site A

set policy id 5 from "Untrust" to "Trust"  "Dial-Up VPN" "192.168.100.0/24" "ANY" tunnel vpn "VPN_Dialup" id 0x3f log
set policy id 5
exit

when i am connected to site A with VPN Client from other state

I can ping Site A network but Site B i cant i this is what i am looking to fix
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Ok, so in policy based VPN for site B, you would need to add 10.1.1.0/24 as one of the destination networks. This would be on the trust-to-untrust policy (matching bidirectional checkbox will take care of untrust-to-trust)

On site A policy based VPN, you need to add  10.1.1.0/24 as a source IP address. This way any traffic originating from the Dialup VPN that targets the network 192.168.200.0/24 will be routed via the VPN.

Hope this clears it up.
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
Ok I understand how to add that for site B i will do it but can you explain for Site A i will add as source 10.1.1.0/24 and what about Destination 192.168.200.0/24 should be this ?
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
For site A you can add 10.1.1.0/24 as a source IP for the VPN policy. So basically you will now have 2 source IPs in the policy for site A. Since there is only one Network you are connecting to on site B, you would leave 192.168.200.0/24 as the destination.

Bascially the way the juniper works, it checks the source and destination IP of the traffic. If both match a policy, that is the poilcy that willbe used. In your case The VPN policy.
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
so this is same way i did for Site a to Site b VPN same policy with different IP address i will try this after i added in LA policy and than in NY
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Yes that is correct.
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
I did same way but still no ping from VPN Client site to site yes also from local network yes but not from outside with VPN
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Did you create new policies or modify the existing ones?
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
i created a new one also i put on top this new one this is IP Pool 10.1.1.0/24 to go outside to site A and Site B i can see Site A but not a site B from VPN Client
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
can you post a sanitized config? Or at least the output of the command 'get policy'?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
First because easy thing to check is to switch on logging in the policy, create traffic, and see if it is logged. Also watch the translated IPs in the log.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Wait - you did not provide a VPN tunnel in the new policies, did you? You can't use the same tunnel in different policies, that gives an error. But you need to.
As said initially by sangamc, you should add the new address to the existing policies. That might break the existing VPN connection, however, as you are modifying the tunnel (the Proxy ID, to be exact).
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
Site A - 192.168.100.0/24

Policy From Trust To Untrust


Source 192.168.100.0/24 > Destination Dial-Up VPN

Source 192.168.100.0/24 > Destination 192.168.200.0/24

Source 10.1.1.0/24 > Destination 192.168.200.0/24

Policy From Untrust To Trust

Source 192.168.200.0/24 > Destination 192.168.100.0/24

Source 192.168.200.0/24 > Destination 10.1.1.0/24

Source Dial-Up VPN > Destination 192.168.100.0/24


VPN Client(i use Shrew for VPN login) is Configured on Site A

IP pool for Site A VPN Dial UP user login - 10.1.1.1 - 10.1.1.254 not set in any interface or DHCP


SITE A to SITE B in Local net with IP range 192.168.100.0 can ping Site B

When i connect to VPN from SHREW i can ping 192.168.100.1 but i cant ping 192.168.200.1


Site B - 192.168.200.0/24

Policy From Trust To Untrust


Source 192.168.200.0/24 > Destination 192.168.100.0/24

Source 192.168.200.0/24 > Destination 10.1.1.0/24

Policy From Untrust To Trust

Source 192.168.100.0/24 > Destination 192.168.200.0/24

Source 10.1.1.0/24 > Destination 192.168.200.0/24
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Did you add 192.168.200.0/24 to the available networks in Shrew (Policy tab)?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Each line you posted is an own policy?
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
yes i added too in shrew 2 networks but still nothing

in logs i can see this error

2013-06-28 12:47:44      10.1.1.3:42042      192.168.200.10:1      0.0.0.0:0      0.0.0.0:0      ICMP      0 sec.      0      0      Traffic Denied

this is my VPN Client Configuration

set user "VPN_Test_User_aug" type ike
set user "VPN_Test_User_aug" ike-id "itsupport1@test.com" share-limit 250
set user "VPN_Test_User_aug" enable

set user-group "VPN_Test_Group" location local
set user-group "VPN_Test_Group" user "VPN_Test_User_aug"

set ippool "VPN Pool" 10.1.1.1 10.1.1.254

set xauth default auth server "Local"
set xauth default ippool "VPN Pool Test"

set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet0/2.1

set ike gateway "Sales" dialup "VPN_Test_Group" aggressive outgoing-interface ethernet0/2.1 preshare "testestetst" proposal "pre-g2-3des-sha"
set ike gateway "Sales" nat-traversal
set ike gateway "Sales" xauth

set vpn "Sales VPN" gateway "Sales" no-replay tunnel proposal "nopfs-esp-3des-sha"
unset vpn "Sales VPN" monitor
set vpn "Sales VPN" bind tunnel.1
set vpn "Sales VPN" proxy-id local-ip 192.168.100.0/24 remote-ip 255.255.255.255/32 any

set address "Untrust" "10.1.1.0/24" 10.1.1.0/24
set address "Trust" "192.168.100.0/24" 192.168.100.0/24
set policy from "Untrust" to "Trust" "10.1.1.0/24" "192.168.100.0/24" "ANY" permit
set policy from "Trust" to "Untrust" "192.168.100.0/24" "10.1.1.0/24" "ANY" permit

set route 10.1.1.0/24 interface tunnel.1
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
I will have to look into that in more detail, but meanwhile: why are you using a tunnel interface for dial-in?
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
to make it work more than one user for 10 and up i use dial up vpn works with juniper when i login but i cant ping dhe second juniper from vpn when i am connected
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
What you posted doesn't match your description made in http:#a39284850. And the tunnel interface isn't making it easier, I assume. But let's keep it for now.

We need the policies and VPN config for A->B and B->A. You showed the dial-in stuff only.

As you are not NATting dial-in, your traffic from Shrew needs to go this way:

Shrew 10.1.1.3  --> VPN via public IPs --> SSG A Dial-In Untrust (10.1.1.0/24) --> SSG A Site B LAN, Trust (192.168.200.0/24)
    This is to allow traffic to go into Trust on Site A. Only policies needed so far.
SSG A Dial-In Trust (10.1.1.0/24) --> SSG A Site B LAN Untrust (192.168.200.0/24)
   This requires both a route and a policy, to allow to route the traffic to Site B.

At this point traffic should pass the A->B VPN tunnel. Now you need to make sure that Site B know how to route traffic for 10.1.1.0/24 (via 192.168.100.x, SSG A). You should not need to define a policy, as long as you are not wanting to connect from Site B to Dial-In. The same applies to
set policy from "Trust" to "Untrust" "192.168.100.0/24" "10.1.1.0/24" "ANY" permit - it is only needed if you want to initiate traffic from Site A to Dial-In, which is unlikely.
0
 
LVL 1

Author Comment

by:Drilon Berisha
Comment Utility
i cant figure it out i will put here cfg

set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/2 phy full 100mb
set interface "ethernet0/0" zone "Null"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/2.1" tag 1621 zone "Untrust"
set interface "ethernet0/3" zone "Trust"
set interface "ethernet0/4" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface vlan1 ip 10.5.0.0/24
set interface ethernet0/1 ip 192.168.10.1/24
set interface ethernet0/1 nat
set interface ethernet0/2.1 ip 200.215.164.61/30
set interface ethernet0/2.1 route
set interface ethernet0/3 ip 192.168.1.1/24
set interface ethernet0/3 nat
set interface ethernet0/4 ip 192.168.100.1/24
set interface ethernet0/4 nat
set interface tunnel.1 ip unnumbered interface ethernet0/2.1
set interface ethernet0/2.1 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface vlan1 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2.1 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/4 ip manageable
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
set interface ethernet0/2.1 manage ping
set interface ethernet0/2.1 manage telnet
set interface ethernet0/2.1 manage ssl
set interface ethernet0/2.1 manage web
unset interface ethernet0/3 manage ssh
unset interface vlan1 manage ssh
unset interface vlan1 manage telnet
unset interface vlan1 manage ssl
unset interface vlan1 manage web
set interface vlan1 manage mtrace
set auth-server "AD VPN USerr" src-interface "ethernet0/4"
set interface ethernet0/4 vip 192.168.100.241
set interface ethernet0/4 dhcp server service
set interface ethernet0/4 dhcp server enable
set interface ethernet0/4 dhcp server option gateway 192.168.100.1
set interface ethernet0/4 dhcp server option netmask 255.255.255.0
set interface ethernet0/4 dhcp server option dns1 10.120.1.10
set interface ethernet0/4 dhcp server option dns2 146.6.1.122
set interface ethernet0/4 dhcp server option dns3 146.6.100.2
set interface ethernet0/4 dhcp server ip 192.168.100.11 to 192.168.100.199
unset interface ethernet0/4 dhcp server config next-server-ip
set interface vlan1 dhcp relay server-name " 10.1.1.0"
set interface vlan1 dhcp relay server-name "255.255.255.0"
set interface vlan1 dhcp relay vpn
set interface vlan1 dhcp relay service
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" " 10.1.1.0/24"  10.1.1.0 255.255.255.0
set address "Trust" "192.168.200.0/24" 192.168.200.0 255.255.255.0
set address "Trust" "192.168.11.0/24" 192.168.11.0 255.255.255.0
set address "Trust" "192.168.100.0/24" 192.168.100.0 255.255.255.0
set address "Trust" "Site A 192.168.100.0" 192.168.100.0 255.255.255.0
set address "Untrust" " 10.1.1.0/24"  10.1.1.0 255.255.255.0
set address "Untrust" "63.65.164.62/30" 63.65.164.62 255.255.255.252
set address "Untrust" "Site B 192.168.200.0" 192.168.200.0 255.255.255.0
set group service "Server TESTSERVER"
set group service "Server TESTSERVER" add "OpenPorts"
set ippool "VPNPool" 10.1.1.1 10.1.1.254
set user "VPN_Dialup_User" uid 25
set user "VPN_Dialup_User" ike-id u-fqdn "itsupport@testsite.com" share-limit 200
set user "VPN_Dialup_User" type ike
set user "VPN_Dialup_User" "enable"
set user "test" uid 29
set user "test" type xauth
set user "test" password "******************************"
unset user "test" type auth
set user "test" "enable"
set user-group "vpnclient_group" id 14
set user-group "vpnclient_group" user "VPN_Dialup_User"
set ike p1-proposal "Conenct1" preshare group2 esp 3des md5 second 28800
set ike gateway "Site b Wan" address 120.156.143.76 Main outgoing-interface "ethernet0/2.1" preshare "*****************" proposal "pre-g2-3des-md5"
set ike gateway "VPN_Dialup_GW" dialup "vpnclient_group" Aggr outgoing-interface "ethernet0/2.1" preshare "***************" proposal "pre-g2-3des-sha"
set ike gateway "VPN_Dialup_GW" dpd-liveness interval 30
set ike gateway "VPN_Dialup_GW" nat-traversal udp-checksum
set ike gateway "VPN_Dialup_GW" nat-traversal keepalive-frequency 5
set ike gateway "VPN_Dialup_GW" xauth
unset ike gateway "VPN_Dialup_GW" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "VPNPool"
set xauth default dns1 192.168.100.1
set vpn "Site A to Site B" gateway "Site b Wan" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "Site A to Site B" monitor
set vpn "VPN_Dialup" gateway "VPN_Dialup_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "VPN_Dialup" monitor
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vpn-group id 12
set vpn-group id 1230
set url protocol websense
exit
set policy id 9 from "Trust" to "Untrust"  " 10.1.1.0/24" "Site B 192.168.200.0" "ANY" tunnel vpn "Site A to Site B" id 0x63
set policy id 9
exit
set policy id 8 from "Untrust" to "Trust"  "Dial-Up VPN" "192.168.100.0/24" "ANY" tunnel vpn "VPN_Dialup" id 0x62
set policy id 8
exit
set policy id 3 name "Tunnel Trust Link" from "Trust" to "Untrust"  "192.168.100.0/24" "Site B 192.168.200.0" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 4 log
set policy id 3
exit
set policy id 4 name "Tunnel Trust Link" from "Untrust" to "Trust"  "Site B 192.168.200.0" "192.168.100.0/24" "ANY" tunnel vpn "Site A to Site B" id 0x34 pair-policy 3 log
set policy id 4
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2.1 gateway 200.215.164.21
set route 0.0.0.0/0 interface ethernet0/0 gateway 200.215.164.21
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
 
LVL 1

Author Closing Comment

by:Drilon Berisha
Comment Utility
Perfect idea worked everything
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now