Comments on: Juniper: Create a policy based VPN tunnel between two sites for NetScreen devices http://insanelabs.com/networking/juniper-create-a-policy-based-vpn-tunnel-between-two-sites-for-netscreen-devices/ Umm... Unorthodox? Tue, 24 Jan 2012 15:56:39 +0000 hourly 1 http://wordpress.org/?v= By: Stena http://insanelabs.com/networking/juniper-create-a-policy-based-vpn-tunnel-between-two-sites-for-netscreen-devices/comment-page-1/#comment-3696 Stena Fri, 21 Oct 2011 05:05:21 +0000 http://insanelabs.com/?p=305#comment-3696 Ali, perfect. Thanks. Internet Explorer 8.0 Windows 7 Windows 7
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; EasyBits GO v1.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0)

Ali, perfect. Thanks.

]]> By: Ali http://insanelabs.com/networking/juniper-create-a-policy-based-vpn-tunnel-between-two-sites-for-netscreen-devices/comment-page-1/#comment-3694 Ali Thu, 20 Oct 2011 14:33:49 +0000 http://insanelabs.com/?p=305#comment-3694 Creating a tunnel from a subnet to subnet doesn't necessarily mean you will have access to every computer or service on the other side. In a policy based tunnel you will have to create a policy after a tunnel is created to allow access from one side to the other. Therefore, you can have the provider's IT limit their policy to allow your subnet access to those IP's only instead of creating a two way any-any policy. There might be other ways of doing that but this is what I would recommend. As far as multiple IP's, you can either create three policies or add the IP's in Policy Elements, then select Multiple when you are creating the policy. Firefox 7.0.1 Windows 7 x64 Edition Windows 7 x64 Edition
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Creating a tunnel from a subnet to subnet doesn’t necessarily mean you will have access to every computer or service on the other side. In a policy based tunnel you will have to create a policy after a tunnel is created to allow access from one side to the other. Therefore, you can have the provider’s IT limit their policy to allow your subnet access to those IP’s only instead of creating a two way any-any policy. There might be other ways of doing that but this is what I would recommend.

As far as multiple IP’s, you can either create three policies or add the IP’s in Policy Elements, then select Multiple when you are creating the policy.

]]> By: Stena http://insanelabs.com/networking/juniper-create-a-policy-based-vpn-tunnel-between-two-sites-for-netscreen-devices/comment-page-1/#comment-3693 Stena Thu, 20 Oct 2011 09:03:27 +0000 http://insanelabs.com/?p=305#comment-3693 Ali, I need you expert advise. I have to connect my office site with a service providers site over site to site ipsec vpn tunnel. I'm using juniper ssg5. Now the service provider is not giving me access to their subnet but to specific host ip's within their network eg.192.168.4, 192.168.1.9 and 192.168.1.11. So how do i configure these remote ip details in the AUTOKE IKE screen of the Pase 2 proposal because on that screen it allows you to enter only 1 remote ip /netmask ? Internet Explorer 8.0 Windows 7 Windows 7
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; EasyBits GO v1.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0)

Ali,

I need you expert advise. I have to connect my office site with a service providers site over site to site ipsec vpn tunnel. I’m using juniper ssg5. Now the service provider is not giving me access to their subnet but to specific host ip’s within their network eg.192.168.4, 192.168.1.9 and 192.168.1.11.

So how do i configure these remote ip details in the AUTOKE IKE screen of the Pase 2 proposal because on that screen it allows you to enter only 1 remote ip /netmask ?

]]> By: tbde http://insanelabs.com/networking/juniper-create-a-policy-based-vpn-tunnel-between-two-sites-for-netscreen-devices/comment-page-1/#comment-3684 tbde Thu, 08 Sep 2011 08:39:13 +0000 http://insanelabs.com/?p=305#comment-3684 Just to add more flesh to my earlier post, Site-to-Site VPN is Route-Based (configured on router A btw internet interface in untrust zone and remote peer device; Dialup VPN is Policy-Based and the remote clients have access to all resources on the LAN but as earlier indicated, do not have access to resources on LAN B. Firefox 6.0.2 Windows Vista Windows Vista
Mozilla/5.0 (Windows NT 6.0; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Just to add more flesh to my earlier post,
Site-to-Site VPN is Route-Based (configured on router A btw internet interface in untrust zone and remote peer device; Dialup VPN is Policy-Based and the remote clients have access to all resources on the LAN but as earlier indicated, do not have access to resources on LAN B.

]]> By: tbde http://insanelabs.com/networking/juniper-create-a-policy-based-vpn-tunnel-between-two-sites-for-netscreen-devices/comment-page-1/#comment-3683 tbde Thu, 08 Sep 2011 05:23:01 +0000 http://insanelabs.com/?p=305#comment-3683 Hi Ali, Am a newbie to the Juniper world and my enquiry is similar to one raisd by Murtuza. Forgive if I missed the answer. Site-to-Site IPSEC VPN exists between LAN (router)A and LAN (router)B. Client VPNs terminate on router A but have no connection to LAN B. Appreciate your help Firefox 6.0.2 Windows Vista Windows Vista
Mozilla/5.0 (Windows NT 6.0; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Hi Ali,

Am a newbie to the Juniper world and my enquiry is similar to one raisd by Murtuza. Forgive if I missed the answer. Site-to-Site IPSEC VPN exists between LAN (router)A and LAN (router)B. Client VPNs terminate on router A but have no connection to LAN B. Appreciate your help

]]>