Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Route based VPNs or Policy based VPNs....Which one is better?

    Posted 07-26-2009 21:00

    Can someone help me in deciding which VPN should I use?


    SSG20 Netscreen Firewall/VPN.


    Cheers !

  • 2.  RE: Route based VPNs or Policy based VPNs....Which one is better?

    Posted 07-26-2009 21:35

    In my very humble opinion I would sugget a route based over a policy based.


    Route based vpns have been around for a long long time on the netscreen platform. Policy based are newer (considered mature but still newer) and more flexible.


    With that said I found route based vpn's easier to troubleshoot, and more stable when compared to a policy based VPN. Unless you *had* to use a policy based vpn I would say just stick with the route based.


    I would be interested in hearing someones reasoning for using a policy based vpn unless it's to fit some odd requirement.


    -Tim Eberhard

  • 3.  RE: Route based VPNs or Policy based VPNs....Which one is better?

    Posted 07-27-2009 00:56

    Route VPN is better choice if you want conserve tunnel resources in the appliance. For instance, although you create several policies pointing the same VPN tunnel, each policie will create an IPSec security association (SA) with the remote peer and each of whic counts as an individual VPN tunnel. With route-based it's possible to have severals policies referencing the same VPN tunnel and will only exist an SA with the remote peer.


    By the other hand, with route-based you can create policies with the Deny action (with policy-based the action is tunnel and the permit is implied)


    Another advantage that route-based VPNs offer is the exchange of dynamic routing information through VPN tunnels. You can enable an instance of a dynamic routing protocol, such as Border Gateway Protocol (BGP), on a tunnel interface that is bound
    to a VPN tunnel. The local routing instance exchanges routing information through the tunnel with a neighbor enabled on a tunnel interface bound to the other end.


     Finally, route-based has the next advantages for Dial-Up VPN's:


    - You can bind its tunnel interface to any zone to require or not require policy enforcement.
    - You can define routes to force traffic through the tunnel, unlike a policy-based VPN configuration.
    - A route-based VPN tunnel simplifies the addition of a spoke to a hub-and-spoke configuration

    - You can adjust the proxy ID to accept any IP address from the dialup VPN client by configuring the remote client’s address as
    - You can define one or more mapped IP (MIP) addresses on the tunnel interface.


     All this information appears in more depth in Configuration Guide



  • 4.  RE: Route based VPNs or Policy based VPNs....Which one is better?
    Best Answer

    Posted 07-27-2009 07:10

    Just to add to what has already been posted.


    Here are a couple other resources that explain the difference:


    VPN Process Wizard Step - Route-based or Policy-based?


    ScreenOS Concepts & Examples Guide - VPNS

    Page 75 -Route-based & Policy-based Tunnels




  • 5.  RE: Route based VPNs or Policy based VPNs....Which one is better?

    Posted 07-27-2009 20:27

    Thanks to all for your replies. It really helped me understading.


    Josine, your links are really helpful. The first link has something that I want to do but before I would like explain our current settings and what we want to acheive. If any one of you have any suggestions then please let me know.




    Site-to-Site VPNs

    4 States and each sate has got SSG20 firewall/VPN installed. 
    2 States has got 2 ISPs and other 2 states has got only 1 ISP.

    Site 1 - Melbourne

    Netscreen firwall = melb-ssg
    ISP1 = melb-isp1 = 203.x.y.z
    ISP2 =melb-isp2 = 60.x.y.z
    Cisco Switch = melb-ciscosw

    melb-ssg-eth3: = melb-ciscosw-gi0/1

    Site 2 - Sydney

    Netscreen firwall = syd-ssg
    ISP1 = syd-isp1 = 203.a.b.c
    ISP2 =syd-isp2 = 60.a.b.c
    Cisco Switch = syd-ciscosw

    syd-ssg-eth0 = syd-isp1
    syd-ssg-eht1 = syd-isp2
    syd-ssg-eth3: = syd-ciscosw-gi0/1

    Site 2 - Brisbane

    Netscreen firwall = bris-ssg
    ISP1 = bris-isp1 = 60.d.e.f
    Cisco Switch = bris-ciscosw

    bris-ssg-eth0 = bris-isp1
    bris-ssg-eth3: = bris-ciscosw-gi0/1

    Site 2 - Perth

    Netscreen firwall = perth-ssg
    ISP1 = perth-isp1 = 206.g.h.i
    Cisco Switch = perth-ciscosw

    perth-ssg-eth0 = perth-isp1
    perth-ssg-eth3: = perth-ciscosw-gi0/1

    Current VPN Tunnel Interfaces
    Site 1 - Melbourne
    melb-ssg-eth0 = 203.x.y.z
    melb-ssg-eth1 = 60.x.y.z

    Site 2 - Sydney
    syd-ssg-eth0 = 203.a.b.c
    syd-ssg-eth1 = 60.a.b.c

    Site 3 - Brisbane
    bris-ssg-eth0 = 60.d.e.f

    Site 4 - Perth
    perth-ssg-eth0 = 206.g.h.i

    Current VPN Gateways
    Site 1 - Melbourne

    melb-isp1<>syd-isp1-gw = 203.a.b.c = tunnel.1
    melb-isp1<>syd-isp2-gw = 60.a.b.c = tunnel.2
    melb-isp1<>bris-isp1-gw = 60.d.e.f = tunnel.3
    melb-isp1<>perth-isp1-gw = 206.g.h.i = tunnel.4
    melb-isp2<>syd-isp1-gw = 203.a.b.c = tunnel.5
    melb-isp2<>syd-isp2-gw = 60.a.b.c= tunnel.6
    melb-isp2<>bris-isp1-gw = 60.d.e.f = tunnel.7
    melb-isp2<>perth-isp1-gw = 206.g.h.i = tunnel.8

    Site 2 - Sydney

    syd-isp1<>melb-isp1-gw = 203.x.y.z = tunnel.1
    syd-isp1<>melb-isp2-gw = 60.x.y.z = tunnel.2
    syd-isp1<>bris-isp1-gw = 60.d.e.f = tunnel.3
    syd-isp1<>perth-isp1-gw = 206.g.h.i = tunnel.4
    syd-isp2<>smelb-isp1-gw = 203.x.y.z = tunnel.5
    syd-isp2<>smelb-isp2-gw = 60.x.y.z = tunnel.6
    syd-isp2<>bris-isp1-gw = 60.d.e.f = tunnel.7
    syd-isp2<>perth-isp1-gw = 206.g.h.i = tunnel.8

    Site 3 - Brisbane

    bris-isp1<>melb-isp1-gw = 203.x.y.z = tunnel.1
    bris-isp1<>melb-isp2-gw = 60.x.y.z = tunnel.2
    bris-isp1<>syd-isp1-gw = 203.a.b.c = tunnel.3
    bris-isp1<>syd-isp2-gw = 60.a.b.c = tunnel.4
    bris-isp1<>perth-isp1-gw = 206.g.h.i = tunnel.5

    Site 4 - Perth

    perth-isp1<>melb-isp1-gw = 203.x.y.z = tunnel.1
    perth-isp1<>melb-isp2-gw = 60.x.y.z = tunnel.2
    perth-isp1<>syd-isp1-gw = 203.a.b.c = tunnel.3
    perth-isp1<>syd-isp2-gw = 60.a.b.c = tunnel.4
    perth-isp1<>bris-isp1-gw = 60.d.e.f = tunnel.5

    Current VPNs
    Site 1 - Melbourne

    melb1<>syd1 ------------- tunnel.1
    melb1<>syd2 ------------- tunnel.2
    melb1<>bris1 ------------- tunnel.3
    melb1<>perth1 ------------- tunnel.4
    melb2<>syd1 ------------- tunnel.5
    melb2<>syd2 ------------- tunnel.6
    melb2<>bris1 ------------- tunnel.7
    melb2<>perth1 ------------- tunnel.8

    Site 2 - Sydney

    syd1<>melb1 ------------- tunnel.1
    syd1<>melb2 ------------- tunnel.2
    syd1<>bris1 ------------- tunnel.3
    syd1<>perth1 ------------- tunnel.4
    syd2<>melb1 ------------- tunnel.5
    syd2<>melb2 ------------- tunnel.6
    syd2<>bris1 ------------- tunnel.7
    syd2<>perth1 ------------- tunnel.8

    Site 3 - Brisbane

    bris1<>melb1 ------------- tunnel.1
    bris1<>melb2 ------------- tunnel.2
    bris1<>syd1 ------------- tunnel.3
    bris1<>syd2 ------------- tunnel.4
    bris1<>perth1 ------------- tunnel.5

    Site 4 - Perth

    perth1<>melb1 ------------- tunnel.1
    perth1<>melb2 ------------- tunnel.2
    perth1<>syd1 ------------- tunnel.3
    perth1<>syd2 ------------- tunnel.4
    perth1<>bris1 ------------- tunnel.5

    New Business Rules for network
    * Devices should be connected to each other via site-to-site VPN i.e. MESH.
    * VPN administrative heads should be less. i.e Less VPN Tunnels or only one tunnel for each state but proper routing.
    * The devices with 2 ISPs should use both ISPs simultaneously for traffic load-balancing. So that if one ISP dies then VPN can still be active.
    * VPN monitoring. If VPN is inactive then it should send an email.


  • 6.  RE: Route based VPNs or Policy based VPNs....Which one is better?

    Posted 07-27-2009 23:15

    It seems that I have put everyone in doubt as I have not recieved any reply so far. If my question is long enough to answer then can anyone tell me how can I use 2 ISPs as one tunnel internface i.e. bind ISP 1 (firewall ETH0) and ISP 2 (firewall ETH1) to tunnel.1



    Thanks !