Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Same Site VPN Juniper VPN

Posted on 2013-06-27
3
743 Views
Last Modified: 2013-06-28
I have several Juniper SSG5 units and I am trying to connect them via VPN.  However, the untrusted LAN subnet for each unit is the same as they are all intra-site units.  I have followed as many documents that I can find regarding a VPN setup, but I am missing something.  Ultimately, I need the following setup.  Device to SSG5 #1 Trusted Zone (port E0/2) on Subnet A (192.168.1.0).  Device to SSG5 #2 Trusted Zone (port E0/2) on subnet B (192.168.2.0).  Untrusted connection between SSG5 #1 and SSG5 #2 using port E0/0 on both units to use Subnet C (192.168.3.0).  There will be no internet connection on this network, so that part is irrelevant in this situation.  However, I do need the device connected to SSG #1 to be able to communicate with the device on SSG #2.  I also need data encryption, so I do not believe that simply setting routes will suffice either.  Please advise.
Juniper-SSG5.jpg
0
Comment
Question by:bveltman
3 Comments
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 250 total points
ID: 39282726
Having the same subnet for the Untrust WAN, should not be an issue. I often do this kind of setup when testing inside my office. SSG1 would have wan IP 10.10.2.20 and SSG2 would have wan IP 10.10.2.30 and I build the VPN between them just as I would two that are in physically separate locations.

Traffic through the VPN is encrypted so there is nothing special needed for that either. You can use route or policy based VPN. I prefer route based VPN but both will work equally well
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 250 total points
ID: 39282867
Agree to that. All you have to make sure is that SSG#1 Untrust IP can ping SSG#2 Untrust IP and vice versa, which should be no issue at all if they are in the same subnet.

In opposition to sangamc I prefer pbVPN - because I have to manage on-demand tunnels to conflicting networks, which is much more complex with rbVPN. And you need a policy anyway to control traffic, so why not binding the VPN to the policy in the first place ;-).
pbVPNs are more restricted, but easier to config and manage.

The policy needs to be set up for the subnets A and B:
   SSG#1: A (Trust) to B (Untrust), bidrectional
   SSG#2: B (Trust) to A (Untrust), bidirectional
Subnet C is not used in the policies. The VPN gateways are 192.168.3.2 for SSG#1 and 192.168.3.1 for SSG#2.
Don't set a Proxy ID in IKE, it will be taken from the policy.
0
 

Author Closing Comment

by:bveltman
ID: 39284202
Thanks for your help.  Knowing it can be done is half the battle.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question