Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Example Configuration - Route Based Redundant VPNs using NHTB

1

0

Article ID: KB31835 KB Last Updated: 27 Jun 2017Version: 1.0
Summary:

This article provides an example on how to create a route based LAN to LAN VPN by using pre-shared secrets with next-hop tunnel binding (NHTB) in a hub running ScreenOS 6.3.

Solution:

Environment

This example assumes that static IP address are assigned on all the VPN devices of the VPN tunnel.
The tunnel interfaces are created in the Trust zone.
The pre-shared secret used is Netscreen.
The following matrix displays the IP addresses and proposals that are used for this example:

Site A (HUB) B (Spoke-1 C (Spoke-2)
Untrust IP of Firewall 1.1.1.1/30 2.2.2.2/30 3.3.3.3/30
Trust Network 10.1.1.0/24 10.2.1.0/24 10.2.1.0/24
Tunnel Interface 192.168.1.1/24 192.168.2.1/24 192.168.3.1/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha g2-esp-3des-sha
 

Diagram


 
 
   

CLI

Site A:

  1. Create tunnel interface

    • set int tun.1 zone trust

    • set int tun.1 ip 192.168.1.1/24>/p>

  2. Set Gateway

    • set ike gateway "spoke-1"address 2.2.2.2 outgoing-interface e0/0 preshare netscreen proposal pre-g2-3des-sha

    • set ike gateway "spoke-2"address 3.3.3.3 outgoing-interface e0/0 preshare netscreen proposal pre-g2-3des-sha

  3. Set Autokey Ike

    • set vpn "vpn1" gateway "spoke-1" no-replay tunnel idletime 0 sec-level standard

    • set vpn "vpn1" monitor optimized rekey

    • set vpn "vpn1" id 0x1 bind interface tunnel.1

    • set interface tunnel.1 nhtb 192.168.2.1 vpn "vpn1"

    • set vpn "vpn2" gateway "spoke-2" no-replay tunnel idletime 0 sec-level standard

    • set vpn "vpn2" monitor optimized rekey

    • set vpn "vpn2" id 0x2 bind interface tunnel.1

    • set interface tunnel.1 nhtb 192.168.3.1 vpn "vpn2"

  4. Create static route

    • set route 10.2.1.0/24 interface tunnel.1 gateway 192.168.2.1 preference 1

    • set route 10.2.1.0/24 interface tunnel.1 gateway 192.168.3.1 preference 2

Site B:

  1. Create tunnel interface

    • set int tun.1 zone trust

    • set int tun.1 ip 192.168.2.1/24

  2. Set Gateway

    • set ike gateway "Hub" address 1.1.1.1 outgoing-interface e0/0 preshare netscreen proposal pre-g2-3des-sha

  3. Set Autokey Ike

    • set vpn "Hub VPN" gateway "Hub" proposal g2-esp-3des-sha

    • set vpn "Hub VPN" bind int tun.1

    • set vpn "Hub VPN" monitor optimized rekey

  4. Create static route

    • set route 10.1.1.0/24 int tun.1

Site C:

  1. Create tunnel interface

    • set int tun.1 zone trust

    • set int tun.1 ip 192.168.3.1/24

  2. Set Gateway 

    • set ike gateway "Hub" address 1.1.1.1 outgoing-interface e0/0 preshare netscreen proposal pre-g2-3des-sha

  3. Set Autokey Ike

    • set vpn "Hub VPN" gateway "Hub" proposal g2-esp-3des-sha

    • set vpn "Hub VPN" bind int tun.1

    • set vpn "Hub VPN" monitor optimized rekey

  4. Create static route

    • set route 10.1.1.0/24 int tun.1

If you performed this procedure and need help with troubleshooting, refer to KB22091 - Resolution Guides and Articles - NS/ISG/SSG - VPN

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search