Solved

Same Site VPN Juniper VPN

Posted on 2013-06-27
3
738 Views
Last Modified: 2013-06-28
I have several Juniper SSG5 units and I am trying to connect them via VPN.  However, the untrusted LAN subnet for each unit is the same as they are all intra-site units.  I have followed as many documents that I can find regarding a VPN setup, but I am missing something.  Ultimately, I need the following setup.  Device to SSG5 #1 Trusted Zone (port E0/2) on Subnet A (192.168.1.0).  Device to SSG5 #2 Trusted Zone (port E0/2) on subnet B (192.168.2.0).  Untrusted connection between SSG5 #1 and SSG5 #2 using port E0/0 on both units to use Subnet C (192.168.3.0).  There will be no internet connection on this network, so that part is irrelevant in this situation.  However, I do need the device connected to SSG #1 to be able to communicate with the device on SSG #2.  I also need data encryption, so I do not believe that simply setting routes will suffice either.  Please advise.
Juniper-SSG5.jpg
0
Comment
Question by:bveltman
3 Comments
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 250 total points
ID: 39282726
Having the same subnet for the Untrust WAN, should not be an issue. I often do this kind of setup when testing inside my office. SSG1 would have wan IP 10.10.2.20 and SSG2 would have wan IP 10.10.2.30 and I build the VPN between them just as I would two that are in physically separate locations.

Traffic through the VPN is encrypted so there is nothing special needed for that either. You can use route or policy based VPN. I prefer route based VPN but both will work equally well
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 250 total points
ID: 39282867
Agree to that. All you have to make sure is that SSG#1 Untrust IP can ping SSG#2 Untrust IP and vice versa, which should be no issue at all if they are in the same subnet.

In opposition to sangamc I prefer pbVPN - because I have to manage on-demand tunnels to conflicting networks, which is much more complex with rbVPN. And you need a policy anyway to control traffic, so why not binding the VPN to the policy in the first place ;-).
pbVPNs are more restricted, but easier to config and manage.

The policy needs to be set up for the subnets A and B:
   SSG#1: A (Trust) to B (Untrust), bidrectional
   SSG#2: B (Trust) to A (Untrust), bidirectional
Subnet C is not used in the policies. The VPN gateways are 192.168.3.2 for SSG#1 and 192.168.3.1 for SSG#2.
Don't set a Proxy ID in IKE, it will be taken from the policy.
0
 

Author Closing Comment

by:bveltman
ID: 39284202
Thanks for your help.  Knowing it can be done is half the battle.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now