Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

Is a policy needed for a Route-Based VPN? (KB ID: KB6551)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB6551

Synopsis

How to determine if a policy is needed for a Route-Based VPN.

Problem

Environment:

• Route-Based VPN tunnel.

• Is a policy required? If so, against which zones should the policy be applied to?

Symptoms & Errors:

• Traffic is allowed even though my policy is set to deny

Solution

Question: Is a policy needed for a Route-Based VPN?

Answer:  A policy may or may not be needed. 

When a policy is needed:

A route based VPN will require a policy if the user traffic initiates/arrives on a different security zone than where the tunnel interface is bound.

Example:
If the tunnel interface is bound to the Untrust zone, and VPN traffic involves a user on the Trust zone, a policy is needed from Trust >Untrust zone.

When a policy is not needed:

If the user traffic initiates/arrives in the same security zone as where the tunnel interface is bound, no access policy is needed.

Example:
If the tunnel interface is bound to the Trust zone and VPN traffic involves a user on the Trust zone, a policy is not needed.

Example:

Depending on the zone the tunnel is bound will depend on how the policy should be created. If the tunnel is bound to the Trust Zone, an Intra-zone policy (Trust to Trust) can be used. If the tunnel is bound to the Untrust or a Custom Zone, then the policy will be from Trust to Untrust or Trust to [custom zone name].

The Action used in the policy will be either Permit or Deny, not Tunnel. The action Tunnel is used when configuring Policy-Based VPNs.

For a configuration example, consult: KB9514 - How to configure a policy for a route-based VPN

For more information regarding The Packet Flow Sequence, consult the Concepts & Examples Guide Vol 2, Fundamentals for your ScreenOS version.

Category Description

By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software
By Network Technology » IP Protocols » Tunneling Protocols » IPSec

Purpose

Troubleshooting

Related Articles

Related Links

• KB9217 - How to Troubleshoot a Site-to-Site VPN that won't come up and there are No Messages in the Event Logs
• KB9276 - How to Troubleshoot a Site-to-Site VPN that is up, but, is not Passing Traffic

Related Files