In Juniper terms it's setup as a route based VPN exactly as per Chapter 4 of the VPN PDF for ScreenOS 6.3.
The other end isn't a Juniper, but I don't think that's the issue. On the Juniper if I put a default deny rule at the bottom of the policy list, with logging, I can see that internet requests are trying to go out via the Junipers default gateway rather than through the tunnel. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:12 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won't let me create that policy - the GUI just comes up with a cryptic message "peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist"?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I'm testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I'm struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. ________________________________ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ <http://lyris.sunbelt-software.com/read/my_forums/> or send an email to listmana...@lyris.sunbeltsoftware.com <mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ <http://lyris.sunbelt-software.com/read/my_forums/> or send an email to listmana...@lyris.sunbeltsoftware.com <mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
