LAN to LAN VPN between two Juniper firewalls in Transparent mode 업무이야기/Juniper 2012.02.20 16:19

LAN to LAN VPN between two Juniper firewalls in Transparent mode

Summary:
VPN terminates at the Juniper firewall in Transparent mode.
How to configure a Virtual Private Network (VPN) between two Juniper firewalls in Transparent mode.

Problem or Goal:
How is a VPN configured between two Juniper firewalls in Transparent mode?
This example will be based on a VPN between two SSG140s, using ScreenOS 5.4.0r8.0; however, this config is valid with ScreenOS 5.x and 6.x.



Assumptions:

Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.


Solution:
The steps are documented below.

Note that when the Virtual Private Network (VPN) tunnel uses a pair of Juniper firewalls in Transparent mode as the termination point, the security gateway needs to point to the IP address of the peer's VLAN1 interface.
Additionally, the Transparent mode Juniper firewall needs a static route to reach the remote IPSec gateway.



Site A Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-B
    * IP Address/Netmask: 1.1.2.0/24

Choose V1-Trust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-A
    * IP address/Netmask: 1.1.1.0/24


CLI:
set address v1-trust lan-A 1.1.1.0/24
set address v1-untrust lan-B 1.1.2.0/24



Define IKE gateway (Phase 1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toB
  •   Security Level: Standard
  •   Static IP Address: 1.1.2.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toB address 1.1.2.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard



Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toB
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toB

CLI:
set vpn toB gateway toB sec-level standard



Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1 Untrust
Enter following and click OK
  •   Source Address: Address Book Entry, lan-A
  •   Destination Address: Address Boot Entry, lan-B
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toB
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-A lan-B any tunnel vpn toB
set policy id 1001 from v1-untrust to v1-trust lan-B lan-A any tunnel vpn toB pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.1.1
 
CLI:
set route 0.0.0.0/0 gateway 1.1.1.1

 


Site B Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-A
  •     IP Address/Netmask: 1.1.1.0/24
Choose V1-Trust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-B
  •     IP address/Netmask: 1.1.2.0/24

CLI:
set address v1-trust lan-B 1.1.2.0/24
set address v1-trust lan-A 1.1.1.0/24



Define IKE gateway (Phase1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toA
  •   Security Level: Standard
  •   Static IP Address: 1.1.1.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toA address 1.1.1.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard


Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toA
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toA

CLI:
set vpn toA gateway toA sec-level standard


Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1-Untrust

Enter following and click OK

  •   Source Address: Address Book Entry, lan-B
  •   Destination Address: Address Boot Entry, lan-A
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toA
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-B lan-A any tunnel vpn toA
set policy id 1001 from v1-untrust to v1-trust lan-A lan-B any tunnel vpn toA pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.2.1
CLI:
set route 0.0.0.0/0 gateway 1.1.2.1

 


Note: Technical Documentation

A Transparent mode VPN example is also included in the Technical Documentation:

ScreenOS  Concepts & Examples ScreenOS Reference Guide, Volume 5:  Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Transparent Mode VPN” Example

ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf 
ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v5.pdf

Purpose:
Troubleshooting

Related Links:

저작자표시비영리변경금지

'업무이야기 > Juniper' 카테고리의 다른 글

Juniper 인터넷 2회선을 이용한 Load Balancing  (0) 2012.02.21
Juniper Virtual Router Basic Configuration  (0) 2012.02.21
LAN to LAN VPN between two Juniper firewalls in Transparent mode  (0) 2012.02.20
Juniper Firewall ALG  (0) 2012.02.20
Juniper EX-series Switch Password Recovery  (0) 2012.02.17
Juniper Firewall DHCP Server Configuration  (0) 2012.01.27
L2 mode, LAN to LAN VPN between two Juniper firewalls in Transparent mode
트랙백11 , 댓글0
Juniper Firewall Transparent mode config (Example) 업무이야기/Juniper 2011.11.04 09:58

Management
set interface vlan1 ip 1.1.1.1/24
set interface vlan1 manage web
set interface vlan1 manage telnet
set interface vlan1 manage ssh
set interface vlan1 manage ping

Interfaces
set interface ethernet0/1 ip 0.0.0.0/0
set interface ethernet0/1 zone v1-trust
set interface ethernet0/3 ip 0.0.0.0/0
set interface ethernet0/3 zone v1-untrust

V1-Trust Zone
set zone v1-trust manage web
set zone v1-trust manage telnet
set zone v1-trust manage ping

Addresses
set address v1-trust FTP_Server 1.1.1.5/32
set address v1-trust Mail_Server 1.1.1.10/32

Route
set vrouter trust-vr route 0.0.0.0/0 interface vlan1 gateway 1.1.1.250 metric 1

Policies
set policy from v1-trust to v1-untrust any any any permit
set policy from v1-untrust to v1-trust any Mail_Server mail permit
set policy from v1-untrust to v1-trust any FTP_Server ftp-get permit

저작자표시비영리변경금지

'업무이야기 > Juniper' 카테고리의 다른 글

방화벽-VPN_UTM운영자메뉴얼  (0) 2012.01.12
NSRP Monitor Track IP Configuration Examples  (0) 2011.11.17
Juniper Firewall Transparent mode config (Example)  (0) 2011.11.04
Juniper Firewall TroubleShooting Command  (0) 2011.11.04
Juniper ISG Series Integrated Security Gateways  (0) 2011.09.27
Juniper Netscreen 204...  (0) 2011.08.19
Juniper Firewall Transparent mode config (Example), L2 mode, Transparent mode
트랙백35 , 댓글0