Solved

Same Site VPN Juniper VPN

Posted on 2013-06-27
3
749 Views
Last Modified: 2013-06-28
I have several Juniper SSG5 units and I am trying to connect them via VPN.  However, the untrusted LAN subnet for each unit is the same as they are all intra-site units.  I have followed as many documents that I can find regarding a VPN setup, but I am missing something.  Ultimately, I need the following setup.  Device to SSG5 #1 Trusted Zone (port E0/2) on Subnet A (192.168.1.0).  Device to SSG5 #2 Trusted Zone (port E0/2) on subnet B (192.168.2.0).  Untrusted connection between SSG5 #1 and SSG5 #2 using port E0/0 on both units to use Subnet C (192.168.3.0).  There will be no internet connection on this network, so that part is irrelevant in this situation.  However, I do need the device connected to SSG #1 to be able to communicate with the device on SSG #2.  I also need data encryption, so I do not believe that simply setting routes will suffice either.  Please advise.
Juniper-SSG5.jpg
0
Comment
Question by:bveltman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 250 total points
ID: 39282726
Having the same subnet for the Untrust WAN, should not be an issue. I often do this kind of setup when testing inside my office. SSG1 would have wan IP 10.10.2.20 and SSG2 would have wan IP 10.10.2.30 and I build the VPN between them just as I would two that are in physically separate locations.

Traffic through the VPN is encrypted so there is nothing special needed for that either. You can use route or policy based VPN. I prefer route based VPN but both will work equally well
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 250 total points
ID: 39282867
Agree to that. All you have to make sure is that SSG#1 Untrust IP can ping SSG#2 Untrust IP and vice versa, which should be no issue at all if they are in the same subnet.

In opposition to sangamc I prefer pbVPN - because I have to manage on-demand tunnels to conflicting networks, which is much more complex with rbVPN. And you need a policy anyway to control traffic, so why not binding the VPN to the policy in the first place ;-).
pbVPNs are more restricted, but easier to config and manage.

The policy needs to be set up for the subnets A and B:
   SSG#1: A (Trust) to B (Untrust), bidrectional
   SSG#2: B (Trust) to A (Untrust), bidirectional
Subnet C is not used in the policies. The VPN gateways are 192.168.3.2 for SSG#1 and 192.168.3.1 for SSG#2.
Don't set a Proxy ID in IKE, it will be taken from the policy.
0
 

Author Closing Comment

by:bveltman
ID: 39284202
Thanks for your help.  Knowing it can be done is half the battle.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
URGENT- Can't login to Bizportal over VPN 2 57
Server 2012 L2TP VPN Windows client to server 10 62
IPAD vpn connection 3 32
VPN Exposure 19 35
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question