LAN to LAN VPN between two Juniper firewalls in Transparent mode


Summary:
VPN terminates at the Juniper firewall in Transparent mode.
How to configure a Virtual Private Network (VPN) between two Juniper firewalls in Transparent mode.

Problem or Goal:
How is a VPN configured between two Juniper firewalls in Transparent mode?
This example will be based on a VPN between two SSG140s, using ScreenOS 5.4.0r8.0; however, this config is valid with ScreenOS 5.x and 6.x.



Assumptions:

Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.


Solution:
The steps are documented below.

Note that when the Virtual Private Network (VPN) tunnel uses a pair of Juniper firewalls in Transparent mode as the termination point, the security gateway needs to point to the IP address of the peer's VLAN1 interface.
Additionally, the Transparent mode Juniper firewall needs a static route to reach the remote IPSec gateway.



Site A Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-B
    * IP Address/Netmask: 1.1.2.0/24

Choose V1-Trust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-A
    * IP address/Netmask: 1.1.1.0/24


CLI:
set address v1-trust lan-A 1.1.1.0/24
set address v1-untrust lan-B 1.1.2.0/24



Define IKE gateway (Phase 1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toB
  •   Security Level: Standard
  •   Static IP Address: 1.1.2.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toB address 1.1.2.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard



Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toB
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toB

CLI:
set vpn toB gateway toB sec-level standard



Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1 Untrust
Enter following and click OK
  •   Source Address: Address Book Entry, lan-A
  •   Destination Address: Address Boot Entry, lan-B
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toB
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-A lan-B any tunnel vpn toB
set policy id 1001 from v1-untrust to v1-trust lan-B lan-A any tunnel vpn toB pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.1.1
 
CLI:
set route 0.0.0.0/0 gateway 1.1.1.1

 


Site B Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-A
  •     IP Address/Netmask: 1.1.1.0/24
Choose V1-Trust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-B
  •     IP address/Netmask: 1.1.2.0/24

CLI:
set address v1-trust lan-B 1.1.2.0/24
set address v1-trust lan-A 1.1.1.0/24



Define IKE gateway (Phase1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toA
  •   Security Level: Standard
  •   Static IP Address: 1.1.1.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toA address 1.1.1.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard


Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toA
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toA

CLI:
set vpn toA gateway toA sec-level standard


Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1-Untrust

Enter following and click OK

  •   Source Address: Address Book Entry, lan-B
  •   Destination Address: Address Boot Entry, lan-A
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toA
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-B lan-A any tunnel vpn toA
set policy id 1001 from v1-untrust to v1-trust lan-A lan-B any tunnel vpn toA pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.2.1
CLI:
set route 0.0.0.0/0 gateway 1.1.2.1

 


Note: Technical Documentation

A Transparent mode VPN example is also included in the Technical Documentation:

ScreenOS  Concepts & Examples ScreenOS Reference Guide, Volume 5:  Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Transparent Mode VPN” Example

ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf 
ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v5.pdf

Purpose:
Troubleshooting

Related Links:

저작자 표시 비영리 변경 금지
신고