Fair point, so I added a route for 0.0.0.0/0 to use tunnel.1 but it didn't work, the logging on the deny all rule shows the requests for 0.0.0.0 are still going out (or trying to) via the SSG directly.
From: Erik Goldoff [mailto:[email protected]] Sent: 17 September 2010 15:23 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, just making sure you had local access to the Juniper ... I'd suggest to actually try the route based VPN on 0.0.0.0 rather than assume the metric would mess it up. I'll still be here if you try and it fails, you can say you told me so, but IMNSHO it's at least worth a try. Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:[email protected]] Sent: Friday, September 17, 2010 10:11 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query the "site" is on my desk as for testing I'm using a firewall in our DMZ for the remote site, so the external NICs on each firewall are on the same switch/subnet. From: Erik Goldoff [mailto:[email protected]] Sent: 17 September 2010 14:51 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Are you at the remote 192.168.x.x site ? Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:[email protected]] Sent: Friday, September 17, 2010 9:33 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I'm assuming it won't work because of the metrics? From: Erik Goldoff [mailto:[email protected]] Sent: 17 September 2010 14:25 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query I apologize for not knowing the 6.x version documentation, I've been stuck on the NS-5GT devices with most of my clients and the latest there is 5.3 I think. What happens if you attempt to set up a route based vpn for the route 0.0.0.0 just like for the 10.60.1.0 route to the main office ? Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:[email protected]] Sent: Friday, September 17, 2010 9:16 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query In Juniper terms it's setup as a route based VPN exactly as per Chapter 4 of the VPN PDF for ScreenOS 6.3. The other end isn't a Juniper, but I don't think that's the issue. On the Juniper if I put a default deny rule at the bottom of the policy list, with logging, I can see that internet requests are trying to go out via the Junipers default gateway rather than through the tunnel. From: Erik Goldoff [mailto:[email protected]] Sent: 17 September 2010 14:12 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query But otherwise the VPN tunnel works to access the main site from the remote site ??? How is the original VPN rule setup ? Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:[email protected]] Sent: Friday, September 17, 2010 8:46 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query It won't let me create that policy - the GUI just comes up with a cryptic message "peer to_siteA have vpn with tunnel interface binding, vpn invalid or not exist"?! From: Erik Goldoff [mailto:[email protected]] Sent: 17 September 2010 12:58 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, apologies, coffee just kicking in here, quite a few hours earlier than where you are. Possibly a better method using the Juniper policies. In your Trust to Untrust, or Trust to Global policies Create an ANY-ANY-ANY-TUNNEL ( Source Destination Service Action ) using the tunnel created between sites. For any device on the remote subnet that needs direct access, create a policy with ANY-ANY-ANY-Permit and place it above this any-any-any-tunnel rule Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:[email protected]] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I'm testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I'm struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. ________________________________ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ <http://lyris.sunbelt-software.com/read/my_forums/> or send an email to [email protected] <mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ <http://lyris.sunbelt-software.com/read/my_forums/> or send an email to [email protected] <mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
