SRX

Expand all | Collapse all

VPN Site-to-Site with multiple subnets

Jump to Best Answer
  • 1.  VPN Site-to-Site with multiple subnets

    Posted 01-09-2019 23:25

    Hi All,

     

    We are connecting to our remote office via a site-to-site VPN tunnel.

    It is working properly without any problem.

     

    Right now, local office want to acess another subnets on the remote office.

    I configured the setting by using Proxy identity.

     

    existing VPN

    192.168.96.0/20  (NS)  ----VPN----  (SRX)  192.168.0.0/20

    New 

    192.168.96.0/20  (NS)  ----VPN----  (SRX)   172.16.24.128/25

     

    However, after applied the new setting, only one VPN can be up each time.

    Could someone let me know how to make both up?

     

    Cheers,

    Kay



  • 2.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-09-2019 23:29

    You can use traffic-selector to configure multiple subnets. Please refer the belowmentioned KB for more details:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

     



  • 3.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-09-2019 23:35

    Hi Nellikka,

     

    In this KB, I found the following setting.

    traffic-selector t1 {
    local-ip 10.1.0.0/16;
    remote-ip 192.168.1.0/24;
    }
    traffic-selector t2 {
    local-ip 10.2.0.0/16;
    remote-ip 192.168.2.0/24;
    }

    Is it worked if I add below setting?

    traffic-selector t3 {
    local-ip 10.2.0.0/16;
    remote-ip 192.168.1.0/24;
    }

     

    Thanks,

    Kay



  • 4.  RE: VPN Site-to-Site with multiple subnets

     
    Posted 01-09-2019 23:48

    Hi Kay,

     

    Please share the SRX side VPN config for clarity. You have configured the mentioned Proxy-IDs (2 nos) on the Netscreen side correct?

     

    Regards,

     

    Vikas



  • 5.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-09-2019 23:48

    It should work, and you can add multiple traffic selectors. But ensure that same mirror traffic selectors /proxy ids should be configured at remote side.

     



  • 6.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-10-2019 00:11

    Hi all,

     

    Only SRX is enabled proxy ID.

    NS is using policy based VPN without enable proxy ID.

     

    Regards,

    Kay



  • 7.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-10-2019 00:19

    Hi All,

     

    This is the SRX setting

     

    set security ipsec vpn LCY-HKG-Tu0 bind-interface st0.0
    set security ipsec vpn LCY-HKG-Tu0 ike gateway LCY-HKG-P1
    set security ipsec vpn LCY-HKG-Tu0 ike proxy-identity local 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 ike proxy-identity remote 192.168.96.0/20
    set security ipsec vpn LCY-HKG-Tu0 ike ipsec-policy LCY-HKG-P2
    set security ipsec vpn LCY-HKG-Tu0 establish-tunnels immediately

     

    set security ipsec vpn LCY-HKG-Tu1 bind-interface st0.1
    set security ipsec vpn LCY-HKG-Tu1 ike gateway LCY-HKG-P1
    set security ipsec vpn LCY-HKG-Tu1 ike proxy-identity local 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu1 ike proxy-identity remote 10.0.0.0/24
    set security ipsec vpn LCY-HKG-Tu1 ike proxy-identity service any
    set security ipsec vpn LCY-HKG-Tu1 ike ipsec-policy LCY-HKG-P2
    set security ipsec vpn LCY-HKG-Tu1 establish-tunnels immediately

     

    set security ipsec vpn LCY-HKG-Tu2 bind-interface st0.2
    set security ipsec vpn LCY-HKG-Tu2 ike gateway LCY-HKG-P1
    set security ipsec vpn LCY-HKG-Tu2 ike proxy-identity local 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu2 ike proxy-identity remote 172.16.0.0/24
    set security ipsec vpn LCY-HKG-Tu2 ike proxy-identity service any
    set security ipsec vpn LCY-HKG-Tu2 ike ipsec-policy LCY-HKG-P2
    set security ipsec vpn LCY-HKG-Tu2 establish-tunnels immediately

     

    set security ipsec vpn LCY-HKG-Tu3 bind-interface st0.3
    set security ipsec vpn LCY-HKG-Tu3 ike gateway LCY-HKG-P1
    set security ipsec vpn LCY-HKG-Tu3 ike proxy-identity local 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu3 ike proxy-identity remote 172.18.0.0/24
    set security ipsec vpn LCY-HKG-Tu3 ike proxy-identity service any
    set security ipsec vpn LCY-HKG-Tu3 ike ipsec-policy LCY-HKG-P2
    set security ipsec vpn LCY-HKG-Tu3 establish-tunnels immediately

     

    set security ipsec vpn LCY-HKG-Tu4 bind-interface st0.4
    set security ipsec vpn LCY-HKG-Tu4 ike gateway LCY-HKG-P1
    set security ipsec vpn LCY-HKG-Tu4 ike proxy-identity local 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu4 ike proxy-identity remote 172.19.0.0/24
    set security ipsec vpn LCY-HKG-Tu4 ike proxy-identity service any
    set security ipsec vpn LCY-HKG-Tu4 ike ipsec-policy LCY-HKG-P2
    set security ipsec vpn LCY-HKG-Tu4 establish-tunnels immediately

     

    set security ipsec vpn LCY-HKG-Tu5 bind-interface st0.5
    set security ipsec vpn LCY-HKG-Tu5 ike gateway LCY-HKG-P1
    set security ipsec vpn LCY-HKG-Tu5 ike proxy-identity local 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu5 ike proxy-identity remote 192.168.121.0/24
    set security ipsec vpn LCY-HKG-Tu5 ike proxy-identity service any
    set security ipsec vpn LCY-HKG-Tu5 ike ipsec-policy LCY-HKG-P2
    set security ipsec vpn LCY-HKG-Tu5 establish-tunnels immediately

     

    set security ipsec vpn LCY-HKG-Tu6 bind-interface st0.6
    set security ipsec vpn LCY-HKG-Tu6 ike gateway LCY-HKG-P1
    set security ipsec vpn LCY-HKG-Tu6 ike proxy-identity local 172.16.24.128/25
    set security ipsec vpn LCY-HKG-Tu6 ike proxy-identity remote 192.168.96.0/20
    set security ipsec vpn LCY-HKG-Tu6 ike proxy-identity service any
    set security ipsec vpn LCY-HKG-Tu6 ike ipsec-policy LCY-HKG-P2

     

    set routing-options static route 192.168.96.0/20 next-hop st0.0
    set routing-options static route 10.0.0.0/24 next-hop st0.1
    set routing-options static route 172.16.0.0/24 next-hop st0.2
    set routing-options static route 172.18.0.0/24 next-hop st0.3
    set routing-options static route 172.19.0.0/24 next-hop st0.4
    set routing-options static route 192.168.121.0/24 next-hop st0.5



  • 8.  RE: VPN Site-to-Site with multiple subnets

     
    Posted 01-10-2019 00:22
    Hi Kay,

    If you are using Proxy ID on the SRX add another proxy ID for the new destination. I think you have already done this.

    On the netscreen side you would need two policies associated with the same VPN. Since proxy ID is automatically picked up from the policy, Source, destination address, application mentioned in the policy should match the proxy id on the srx side.

    Best Regards,

    Vikas


  • 9.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-10-2019 00:34

    If i don't use proxy ID on SRX and use the following setting.

    Do I need to make changes on Netscreen?

     

     

    set security ipsec vpn LCY-HKG-Tu0 bind-interface st0.0
    set security ipsec vpn LCY-HKG-Tu0 ike gateway LCY-HKG-P1
    set security ipsec vpn LCY-HKG-Tu0 ike ipsec-policy LCY-HKG-P2
    set security ipsec vpn LCY-HKG-Tu0 establish-tunnels immediately

     

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t0 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t0 remote-ip 192.168.96.0/20

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t1 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t1 remote-ip 10.0.0.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t2 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t2 remote-ip 172.16.0.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t3 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t3 remote-ip 172.18.0.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t4 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t4 remote-ip 172.19.0.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t5 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t5 remote-ip 192.168.121.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t6 local-ip 172.16.24.128/25
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t6 remote-ip 192.168.96.0/20

     



  • 10.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-10-2019 01:09

    Yes, you have to make changes on Netscreen to include additional subnets you added in SRX.

     

     

     



  • 11.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-10-2019 01:17

    Hi Nellikka,

     

    Those subnets are already in Netscreen policies (Tunnel Mode).

    Any other changes on Netscreen?

     

    Thanks,

    Kay



  • 12.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-10-2019 01:31

    Still not working? Could you share "show security ipsec security-associations vpn-name LCY-HKG-Tu0 detail" .Hope this is the only vpn configured for the remote and removed others like LCY-HKG-Tu1,2,3 etc

     



  • 13.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-10-2019 22:15

    When I applied the config, the error logs attached come out.

    Attachment(s)

    txt
    Log.txt   1 K 1 version
    txt
    Config.txt   4 K 1 version


  • 14.  RE: VPN Site-to-Site with multiple subnets
    Best Answer

    Posted 01-11-2019 01:03

    Please apply below mentioned config and let us know status:

     

    delete routing-options static route 192.168.96.0/20 next-hop st0.0
    delete routing-options static route 10.0.0.0/24 next-hop st0.1
    delete routing-options static route 172.16.0.0/24 next-hop st0.2
    delete routing-options static route 172.18.0.0/24 next-hop st0.3
    delete routing-options static route 172.19.0.0/24 next-hop st0.4
    delete routing-options static route 192.168.121.0/24 next-hop st0.5

    delete security ipsec vpn LCY-HKG-Tu0 ike proxy-identity

    delete security ipsec vpn LCY-HKG-Tu1
    delete security ipsec vpn LCY-HKG-Tu2
    delete security ipsec vpn LCY-HKG-Tu3
    delete security ipsec vpn LCY-HKG-Tu4
    delete security ipsec vpn LCY-HKG-Tu5
    delete security ipsec vpn LCY-HKG-Tu6

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t0 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t0 remote-ip 192.168.96.0/20

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t1 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t1 remote-ip 10.0.0.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t2 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t2 remote-ip 172.16.0.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t3 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t3 remote-ip 172.18.0.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t4 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t4 remote-ip 172.19.0.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t5 local-ip 192.168.0.0/20
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t5 remote-ip 192.168.121.0/24

    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t6 local-ip 172.16.24.128/25
    set security ipsec vpn LCY-HKG-Tu0 traffic-selector t6 remote-ip 192.168.96.0/20

     



  • 15.  RE: VPN Site-to-Site with multiple subnets

    Posted 01-15-2019 17:31

    Hi Nellikka,

     

    It works. Thanks for your advice and solution.

     

    Regards,

    Kay