Juniper VPN Tunnel Query
I'm testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I'm struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Juniper VPN Tunnel Query
Static route on the local systems for the remote ‘main’ firewall/internet via the local IP of your local Juniper, and a default gateway on local systems pointing to that remote main firewall ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Juniper VPN Tunnel Query
Erik can you expand a little please? Site A (main site) 10.60.0.0/16 main firewall IP of 10.60.1.1 Site B (remote site) 192.168.99.0/24 - junipers LAN IP is 192.168.99.1 At Site B right now everyone's default gateway would be 192.168.99.1 but the VPN tunnels all traffic for 10.60.0.0/16 over the tunnel1.interface to the firewall at site B. Whilst I get what VPN's are/what they do I've not had much hands on and each vendor seems to do the same thing a slightly different way. Thanks, Paul From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:31 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Static route on the local systems for the remote 'main' firewall/internet via the local IP of your local Juniper, and a default gateway on local systems pointing to that remote main firewall ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I'm testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I'm struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Juniper VPN Tunnel Query
OK, at site B you set up a static route 10.60.1.1 255.255.255.255 - 192.168.99.1- so that all site B computers know how to get to the main firewall via the local firewall ( the local firewall will know to traverse the VPN and not the public internet ) Also at site B you set up a default gateway route 0.0.0.0 0.0.0.0 - 10.60.1.1 so that all default traffic goes to the main site. Alternatively, you could put a static route in the remote Juniper to locate the public IP of the Main firewall via the remote internet/public port address ( to facilitate the tunnel ) and a default gateway in the remote Juniper to the main firewall at 10.60.1.1 This way, ONLY the traffic to create the tunnel will travel the internet connection on the remote Juniper, and ALL OTHER traffic is forced over the tunnel. This would complicate any remote configuration/access to the Juniper at 192.168.99.1 except from within the main site Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:35 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Erik can you expand a little please? Site A (main site) 10.60.0.0/16 main firewall IP of 10.60.1.1 Site B (remote site) 192.168.99.0/24 – junipers LAN IP is 192.168.99.1 At Site B right now everyone’s default gateway would be 192.168.99.1 but the VPN tunnels all traffic for 10.60.0.0/16 over the tunnel1.interface to the firewall at site B. Whilst I get what VPN’s are/what they do I’ve not had much hands on and each vendor seems to do the same thing a slightly different way. Thanks, Paul From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:31 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Static route on the local systems for the remote ‘main’ firewall/internet via the local IP of your local Juniper, and a default gateway on local systems pointing to that remote main firewall ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Juniper VPN Tunnel Query
And yes, I know, the default gateway by original definition is supposed to live adjacent on the same subnet as the station. Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, September 17, 2010 7:49 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, at site B you set up a static route 10.60.1.1 255.255.255.255 - 192.168.99.1- so that all site B computers know how to get to the main firewall via the local firewall ( the local firewall will know to traverse the VPN and not the public internet ) Also at site B you set up a default gateway route 0.0.0.0 0.0.0.0 - 10.60.1.1 so that all default traffic goes to the main site. Alternatively, you could put a static route in the remote Juniper to locate the public IP of the Main firewall via the remote internet/public port address ( to facilitate the tunnel ) and a default gateway in the remote Juniper to the main firewall at 10.60.1.1 This way, ONLY the traffic to create the tunnel will travel the internet connection on the remote Juniper, and ALL OTHER traffic is forced over the tunnel. This would complicate any remote configuration/access to the Juniper at 192.168.99.1 except from within the main site Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:35 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Erik can you expand a little please? Site A (main site) 10.60.0.0/16 main firewall IP of 10.60.1.1 Site B (remote site) 192.168.99.0/24 – junipers LAN IP is 192.168.99.1 At Site B right now everyone’s default gateway would be 192.168.99.1 but the VPN tunnels all traffic for 10.60.0.0/16 over the tunnel1.interface to the firewall at site B. Whilst I get what VPN’s are/what they do I’ve not had much hands on and each vendor seems to do the same thing a slightly different way. Thanks, Paul From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:31 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Static route on the local systems for the remote ‘main’ firewall/internet via the local IP of your local Juniper, and a default gateway on local systems pointing to that remote main firewall ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
RE: Juniper VPN Tunnel Query
OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Juniper VPN Tunnel Query
Erik Goldoff would like to recall this message “ RE: Juniper VPN Tunnel Query “ But as well all know, that capability does not exist within Outlook’s SMTP messaging, so instead, please limit the forthcoming derision and ridicule to a fun, jovial nature appropriate for a Friday J Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, September 17, 2010 7:49 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, at site B you set up a static route 10.60.1.1 255.255.255.255 - 192.168.99.1- so that all site B computers know how to get to the main firewall via the local firewall ( the local firewall will know to traverse the VPN and not the public internet ) Also at site B you set up a default gateway route 0.0.0.0 0.0.0.0 - 10.60.1.1 so that all default traffic goes to the main site. Alternatively, you could put a static route in the remote Juniper to locate the public IP of the Main firewall via the remote internet/public port address ( to facilitate the tunnel ) and a default gateway in the remote Juniper to the main firewall at 10.60.1.1 This way, ONLY the traffic to create the tunnel will travel the internet connection on the remote Juniper, and ALL OTHER traffic is forced over the tunnel. This would complicate any remote configuration/access to the Juniper at 192.168.99.1 except from within the main site Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:35 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Erik can you expand a little please? Site A (main site) 10.60.0.0/16 main firewall IP of 10.60.1.1 Site B (remote site) 192.168.99.0/24 – junipers LAN IP is 192.168.99.1 At Site B right now everyone’s default gateway would be 192.168.99.1 but the VPN tunnels all traffic for 10.60.0.0/16 over the tunnel1.interface to the firewall at site B. Whilst I get what VPN’s are/what they do I’ve not had much hands on and each vendor seems to do the same thing a slightly different way. Thanks, Paul From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:31 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Static route on the local systems for the remote ‘main’ firewall/internet via the local IP of your local Juniper, and a default gateway on local systems pointing to that remote main firewall ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com
Re: RE: Juniper VPN Tunnel Query
It's a deal! -ASB: http://XeeSM.com/AndrewBaker Sent from my Motorola Droid On Sep 17, 2010 8:03 AM, Erik Goldoff egold...@gmail.com wrote: Erik Goldoff would like to recall this message “ RE: Juniper VPN Tunnel Query “ But as well all know, that capability does not exist within Outlook’s SMTP messaging, so instead, please limit the forthcoming derision and ridicule to a fun, jovial nature appropriate for a Friday J Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, September 17, 2010 7:49 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, at site B you set up a static route 10.60.1.1 255.255.255.255 - 192.168.99.1 - so that all site B computers know how to get to the main firewall via the local firewall ( the local firewall will know to traverse the VPN and not the public internet ) Also at site B you set up a default gateway route 0.0.0.0 0.0.0.0 - 10.60.1.1 so that all default traffic goes to the main site. Alternatively, you could put a static route in the remote Juniper to locate the public IP of the Main firewall via the remote internet/public port address ( to facilitate the tunnel ) and a default gateway in the remote Juniper to the main firewall at 10.60.1.1 This way, ONLY the traffic to create the tunnel will travel the internet connection on the remote Juniper, and ALL OTHER traffic is forced over the tunnel. This would complicate any remote configuration/access to the Juniper at 192.168.99.1 except from within the main site Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:35 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Erik can you expand a little please? Site A (main site) 10.60.0.0/16 main firewall IP of 10.60.1.1 Site B (remote site) 192.168.99.0/24 – junipers LAN IP is 192.168.99.1 At Site B right now everyone’s default gateway would be 192.168.99.1 but the VPN tunnels all traffic for 10.60.0.0/16 over the tunnel1.interface to the firewall at site B. Whilst I get what VPN’s are/what they do I’ve not had much hands on and each vendor seems to do the same thing a slightly different way. Thanks, Paul From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:31 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Static route on the local systems for the remote ‘main’ firewall/internet via the local IP of your local Juniper, and a default gateway on local systems pointing to that remote main firewall ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email
RE: Juniper VPN Tunnel Query
It won't let me create that policy - the GUI just comes up with a cryptic message peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I'm testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I'm struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Juniper VPN Tunnel Query
But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won’t let me create that policy – the GUI just comes up with a cryptic message “peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist”?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Juniper VPN Tunnel Query
In Juniper terms it's setup as a route based VPN exactly as per Chapter 4 of the VPN PDF for ScreenOS 6.3. The other end isn't a Juniper, but I don't think that's the issue. On the Juniper if I put a default deny rule at the bottom of the policy list, with logging, I can see that internet requests are trying to go out via the Junipers default gateway rather than through the tunnel. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:12 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won't let me create that policy - the GUI just comes up with a cryptic message peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I'm testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I'm struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com mailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com mailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Juniper VPN Tunnel Query
I apologize for not knowing the 6.x version documentation, I’ve been stuck on the NS-5GT devices with most of my clients and the latest there is 5.3 I think. What happens if you attempt to set up a route based vpn for the route 0.0.0.0 just like for the 10.60.1.0 route to the main office ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:16 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query In Juniper terms it’s setup as a route based VPN exactly as per Chapter 4 of the VPN PDF for ScreenOS 6.3. The other end isn’t a Juniper, but I don’t think that’s the issue. On the Juniper if I put a default deny rule at the bottom of the policy list, with logging, I can see that internet requests are trying to go out via the Junipers default gateway rather than through the tunnel. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:12 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won’t let me create that policy – the GUI just comes up with a cryptic message “peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist”?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ http://lyris.sunbelt-software.com/read/my_forums/ or send an email to mailto:listmana...@lyris.sunbeltsoftware.com listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ http
RE: Juniper VPN Tunnel Query
Are you at the remote 192.168.x.x site ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:33 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I’m assuming it won’t work because of the metrics? From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:25 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I apologize for not knowing the 6.x version documentation, I’ve been stuck on the NS-5GT devices with most of my clients and the latest there is 5.3 I think. What happens if you attempt to set up a route based vpn for the route 0.0.0.0 just like for the 10.60.1.0 route to the main office ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:16 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query In Juniper terms it’s setup as a route based VPN exactly as per Chapter 4 of the VPN PDF for ScreenOS 6.3. The other end isn’t a Juniper, but I don’t think that’s the issue. On the Juniper if I put a default deny rule at the bottom of the policy list, with logging, I can see that internet requests are trying to go out via the Junipers default gateway rather than through the tunnel. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:12 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won’t let me create that policy – the GUI just comes up with a cryptic message “peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist”?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ http://lyris.sunbelt-software.com/read/my_forums/ or send an email to mailto:listmana...@lyris.sunbeltsoftware.com listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog
RE: Juniper VPN Tunnel Query
the site is on my desk as for testing I'm using a firewall in our DMZ for the remote site, so the external NICs on each firewall are on the same switch/subnet. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:51 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Are you at the remote 192.168.x.x site ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:33 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I'm assuming it won't work because of the metrics? From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:25 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I apologize for not knowing the 6.x version documentation, I've been stuck on the NS-5GT devices with most of my clients and the latest there is 5.3 I think. What happens if you attempt to set up a route based vpn for the route 0.0.0.0 just like for the 10.60.1.0 route to the main office ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:16 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query In Juniper terms it's setup as a route based VPN exactly as per Chapter 4 of the VPN PDF for ScreenOS 6.3. The other end isn't a Juniper, but I don't think that's the issue. On the Juniper if I put a default deny rule at the bottom of the policy list, with logging, I can see that internet requests are trying to go out via the Junipers default gateway rather than through the tunnel. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:12 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won't let me create that policy - the GUI just comes up with a cryptic message peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I'm testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I'm struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage
RE: Juniper VPN Tunnel Query
OK, just making sure you had local access to the Juniper … I’d suggest to actually try the route based VPN on 0.0.0.0 rather than assume the metric would mess it up. I’ll still be here if you try and it fails, you can say you told me so, but IMNSHO it’s at least worth a try. Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 10:11 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query the “site” is on my desk as for testing I’m using a firewall in our DMZ for the remote site, so the external NICs on each firewall are on the same switch/subnet. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:51 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Are you at the remote 192.168.x.x site ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:33 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I’m assuming it won’t work because of the metrics? From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:25 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I apologize for not knowing the 6.x version documentation, I’ve been stuck on the NS-5GT devices with most of my clients and the latest there is 5.3 I think. What happens if you attempt to set up a route based vpn for the route 0.0.0.0 just like for the 10.60.1.0 route to the main office ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:16 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query In Juniper terms it’s setup as a route based VPN exactly as per Chapter 4 of the VPN PDF for ScreenOS 6.3. The other end isn’t a Juniper, but I don’t think that’s the issue. On the Juniper if I put a default deny rule at the bottom of the policy list, with logging, I can see that internet requests are trying to go out via the Junipers default gateway rather than through the tunnel. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:12 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won’t let me create that policy – the GUI just comes up with a cryptic message “peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist”?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail
RE: Juniper VPN Tunnel Query
Fair point, so I added a route for 0.0.0.0/0 to use tunnel.1 but it didn't work, the logging on the deny all rule shows the requests for 0.0.0.0 are still going out (or trying to) via the SSG directly. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 15:23 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, just making sure you had local access to the Juniper ... I'd suggest to actually try the route based VPN on 0.0.0.0 rather than assume the metric would mess it up. I'll still be here if you try and it fails, you can say you told me so, but IMNSHO it's at least worth a try. Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 10:11 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query the site is on my desk as for testing I'm using a firewall in our DMZ for the remote site, so the external NICs on each firewall are on the same switch/subnet. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:51 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Are you at the remote 192.168.x.x site ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:33 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I'm assuming it won't work because of the metrics? From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:25 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I apologize for not knowing the 6.x version documentation, I've been stuck on the NS-5GT devices with most of my clients and the latest there is 5.3 I think. What happens if you attempt to set up a route based vpn for the route 0.0.0.0 just like for the 10.60.1.0 route to the main office ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 9:16 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query In Juniper terms it's setup as a route based VPN exactly as per Chapter 4 of the VPN PDF for ScreenOS 6.3. The other end isn't a Juniper, but I don't think that's the issue. On the Juniper if I put a default deny rule at the bottom of the policy list, with logging, I can see that internet requests are trying to go out via the Junipers default gateway rather than through the tunnel. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 14:12 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won't let me create that policy - the GUI just comes up with a cryptic message peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist?! From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I'm testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I'm struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU
