Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to perform source translation using only one DIP IP for different VPN locations

0

0

Article ID: KB21498 KB Last Updated: 29 Jun 2019Version: 2.0
Summary:

This article describes the procedure of how to perform source translation using only one DIP IP for different VPN locations.

Symptoms:

Environment:

  1. Performing source translation using only one DIP IP for the different VPN locations.

  2. The same DIP IP cannot be configured on multiple tunnel interfaces.

  3. The remote VPN locations require the traffic to come from a specific IP address.

Solution:

This can be achieved by configuring a loopback interface as the outgoing interface for the VPN, configuring the DIP on the loopback interface, and then configuring the tunnel interfaces as members of the loopback interface.

Execute the following procedure to perform source translation, using only one DIP IP for different VPN locations:

  1. Create a loopback interface; this loopback interface will be the outgoing interface of the VPN:

    set interface "loopback.2" zone "Untrust"
    set interface loopback.2 ip 172.27.201.180/30
  2. Configure DIP on the loopback interface:

    set interface loopback.2 ext ip 10.10.20.1 255.255.255.252 dip 4 10.10.20.1 10.10.20.1
     
  3. Configure the tunnel interfaces and make them a member of the loopback interfaces:

    set interface "tunnel.1" zone "Untrust"
    set interface "tunnel.2" zone "Untrust"
    set interface tunnel.1 ip unnumbered interface loopback.2
    set interface tunnel.2 ip unnumbered interface loopback.2
    set interface "ethernet0/2" loopback-group "loopback.2"
    set interface "tunnel.1" loopback-group "loopback.2"
    set interface "tunnel.2" loopback-group "loopback.2"

     
  4. Configure VPN and tunnel routes:

    set ike gateway "172.27.201.132" address 172.27.201.132 Main outgoing-interface "loopback.2" preshare "/ZS7c96YNB3FLNsHRbCb5NRMF6nrEdNaow==" sec-level standard
    set ike gateway "172.27.201.140" address 172.27.201.140 Main outgoing-interface "loopback.2" preshare "T23zCgd8Nylip0sr7nCXuDppQ5nobCaErg==" sec-level standard

    set vpn "172.27.201.132" gateway "172.27.201.132" no-replay tunnel idletime 0 proposal "g2-esp-des-sha" "g2-esp-aes128-sha"
    set vpn "172.27.201.132" id 0x7 bind interface tunnel.1
    set vpn "172.27.201.140" gateway "172.27.201.140" no-replay tunnel idletime 0 proposal "g2-esp-des-sha" "g2-esp-aes128-sha"
    set vpn "172.27.201.140" id 0x8 bind interface tunnel.2

    set route 10.10.10.1/30 interface tunnel.1
    set route 11.11.11.1/30 interface tunnel.2

     
  5. Configure the policies allowing the traffic by selecting the DIP in the policy:

    set policy id 1 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" nat src dip-id 4 permit log

    set policy id 2 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" permit log

    See the below output of  "debug flow basic" and "debug dip all" for icmp traffic destined for two different locations.

     ****** 342480.0: <Trust/loopback.1> packet received [128]******
    ipid = 45619(b233), @02702464
    self:1.1.1.1/60296->10.10.10.1/1024,1(8/0)<Root>
    flow_decap_vector IPv4 process
    loopback.1:1.1.1.1/60296->10.10.10.1/1024,1(8/0)<Root>
    no session found
    flow_first_sanity_check: in <loopback.1>, out <tunnel.1>
    chose interface loopback.1 as incoming nat if.
    flow_first_routing: in <loopback.1>, out <tunnel.1>
    search route to (loopback.1, 1.1.1.1->10.10.10.1) in vr trust-vr for vsd-0/flag-0/ifp-null
    [ Dest] 8.route 10.10.10.1->10.10.10.1, to tunnel.1
    routed (x_dst_ip 10.10.10.1) from loopback.1 (loopback.1 in 0) to tunnel.1
    policy search from zone 2-> zone 1
    policy_flow_search policy search nat_crt from zone 2-> zone 1
    RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.10.10.1, port 27817, proto 1)
    No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 1/0/0x9
    Permitted by policy 1
    ## 2011-07-17 00:16:00 : ifp tunnel.1 is in loopback ifp loopback.2
    Get DIP [Root][loopback.2](4): host(1.1.1.1), port(0), ifp_ip(172.27.201.180), desired(0.0.0.0)
    --Got Port-xlate DIP [Root][loopback.2](4): dip 10.10.20.1/1044
    dip id = 4, 1.1.1.1/60296->10.10.20.1/1044
    NHTB entry search not found: vpn none tif tunnel.1 nexthop 11.11.11.1


    ****** 342471.0: <Trust/loopback.1> packet received [128]******
    ipid = 35540(8ad4), @02700f14
    self:1.1.1.1/59496->11.11.11.1/1024,1(8/0)<Root>
    flow_decap_vector IPv4 process
    loopback.1:1.1.1.1/59496->11.11.11.1/1024,1(8/0)<Root>
    no session found
    flow_first_sanity_check: in <loopback.1>, out <tunnel.2>
    chose interface loopback.1 as incoming nat if.
    flow_first_routing: in <loopback.1>, out <tunnel.2>
    search route to (loopback.1, 1.1.1.1->11.11.11.1) in vr trust-vr for vsd-0/flag-0/ifp-null
    [ Dest] 9.route 11.11.11.1->11.11.11.1, to tunnel.2
    routed (x_dst_ip 11.11.11.1) from loopback.1 (loopback.1 in 0) to tunnel.2
    policy search from zone 2-> zone 1
    policy_flow_search policy search nat_crt from zone 2-> zone 1
    RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 11.11.11.1, port 28617, proto 1)
    No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 1/0/0x9
    Permitted by policy 1
    ## 2011-07-17 00:15:51 : ifp tunnel.2 is in loopback ifp loopback.2

    Get DIP [Root][loopback.2](4): host(1.1.1.1), port(0), ifp_ip(172.27.201.180), desired(0.0.0.0)
    --Got Port-xlate DIP [Root][loopback.2](4): dip 10.10.20.1/1043
    dip id = 4, 1.1.1.1/59496->10.10.20.1/1043
    NHTB entry search not found: vpn none tif tunnel.2 nexthop 11.11.11.1
Modification History:

2019-06-28: Article reviewed for accuracy. No changes made. Article is correct and complete.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search