[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 771
  • Last Modified:

Same Site VPN Juniper VPN

I have several Juniper SSG5 units and I am trying to connect them via VPN.  However, the untrusted LAN subnet for each unit is the same as they are all intra-site units.  I have followed as many documents that I can find regarding a VPN setup, but I am missing something.  Ultimately, I need the following setup.  Device to SSG5 #1 Trusted Zone (port E0/2) on Subnet A (192.168.1.0).  Device to SSG5 #2 Trusted Zone (port E0/2) on subnet B (192.168.2.0).  Untrusted connection between SSG5 #1 and SSG5 #2 using port E0/0 on both units to use Subnet C (192.168.3.0).  There will be no internet connection on this network, so that part is irrelevant in this situation.  However, I do need the device connected to SSG #1 to be able to communicate with the device on SSG #2.  I also need data encryption, so I do not believe that simply setting routes will suffice either.  Please advise.
Juniper-SSG5.jpg
0
bveltman
Asked:
bveltman
2 Solutions
 
Sanga CollinsSystems AdminCommented:
Having the same subnet for the Untrust WAN, should not be an issue. I often do this kind of setup when testing inside my office. SSG1 would have wan IP 10.10.2.20 and SSG2 would have wan IP 10.10.2.30 and I build the VPN between them just as I would two that are in physically separate locations.

Traffic through the VPN is encrypted so there is nothing special needed for that either. You can use route or policy based VPN. I prefer route based VPN but both will work equally well
0
 
QlemoC++ DeveloperCommented:
Agree to that. All you have to make sure is that SSG#1 Untrust IP can ping SSG#2 Untrust IP and vice versa, which should be no issue at all if they are in the same subnet.

In opposition to sangamc I prefer pbVPN - because I have to manage on-demand tunnels to conflicting networks, which is much more complex with rbVPN. And you need a policy anyway to control traffic, so why not binding the VPN to the policy in the first place ;-).
pbVPNs are more restricted, but easier to config and manage.

The policy needs to be set up for the subnets A and B:
   SSG#1: A (Trust) to B (Untrust), bidrectional
   SSG#2: B (Trust) to A (Untrust), bidirectional
Subnet C is not used in the policies. The VPN gateways are 192.168.3.2 for SSG#1 and 192.168.3.1 for SSG#2.
Don't set a Proxy ID in IKE, it will be taken from the policy.
0
 
bveltmanAuthor Commented:
Thanks for your help.  Knowing it can be done is half the battle.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now