Knowledge Search


×
 

[ScreenOS] Configuring a LAN-to-LAN VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products.

  [KB5346] Show Article Properties


Summary:
Configuring Overlapping Subnets for LAN-to-LAN Auto-Key IKE VPN.  Example includes using a MIP on a tunnel interface to do the Network Address Translation (NAT) between sites.
Symptoms:
Environment:
  • LAN to LAN VPN
  • IP networks on both sites are the same
  • VPN to a network with equal subnets
  • LAN to LAN VPN with Overlapping subnets
  • Site to Site VPN with identical address ranges using Juniper Firewalls
Refer to the Solution below on how to configure the Juniper firewalls for this environment, without having to change the IP addresses at each site.
Solution:

Refer to ScreenOS_VPN_with_Overlapping_Subnets  for information on 'Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products' (see page 147 or search the PDF for 'VPN Sites with Overlapping Addresses')


Sample Debug and Snoop capture of a working example: 

 ****** 258971.0: <Trust/loopback.1> packet received [128]******

  ipid = 41360(a190), @02958d84
  self:192.168.1.1/61700->6.6.6.6/1024,1(8/0)<Root>
  flow_decap_vector IPv4 process
  loopback.1:192.168.1.1/61700->6.6.6.6/1024,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <loopback.1>, out <tunnel.2>
  chose interface loopback.1 as incoming nat if.
  flow_first_routing: in <loopback.1>, out <tunnel.2>
  search route to (loopback.1, 192.168.1.1->6.6.6.6) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 23 for 6.6.6.6
  [ Dest] 23.route 6.6.6.6->6.6.6.6, to tunnel.2
  routed (x_dst_ip 6.6.6.6) from loopback.1 (loopback.1 in 0) to tunnel.2
  policy search from zone 2-> zone 100
 policy_flow_search  policy search nat_crt from zone 2-> zone 100
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 6.6.6.6, port 26413, proto 1)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 2/0/0x1
  Permitted by policy 2
## 2019-04-26 02:37:21 : MIP 5.5.5.5 found for host 192.168.1.1 on ifp tunnel.2 (Root)
  found reversed mip/vip 5.5.5.5 for 192.168.1.1 (on tunnel.2)
  hip xlate: 192.168.1.1->5.5.5.5 at tunnel.2 (vs. tunnel.2)

  NHTB entry search not found: vpn none tif tunnel.2 nexthop 6.6.6.6
  matched tunnel-id <0x00000005>
  choose interface tunnel.2 as outgoing phy if
## 2019-04-26 02:37:21 : No Host found for MIP 6.6.6.6 on ifp tunnel.2
  no loop on ifp tunnel.2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <loopback.1>, out <tunnel.2>
  existing vector list 5-842d46c.
  Session (id:128044) created for first pak 5
  flow_first_install_session======>
 input pak_ptr = 1ea46e0, pmtu 1500
 use pmtu 1500
 ipsec overhead: sap->crypto_ctx.iEspHdrLen = 16, sap->crypto_ctx.icvLen = 12
 IPv4 ESP fixed overhead 48
 cryptic_data_max_len before round down = pmtu - fxed overhead = 1500 - 48 = 1452
 cryptic_data_max_len after round down = 1448
 mtu after substracting 2-byte trailer = 1446
 total vpn overhead 54
  flow got session.
  flow session id 128044
  flow_main_body_vector in ifp loopback.1 out ifp tunnel.2
  flow vector index 0x5, vector addr 0x198f930, orig vector 0x198f930
  post addr xlation: 5.5.5.5->6.6.6.6.
  going into tunnel 40000005.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000005
(vn2)  doing ESP encryption and size =136
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
ipsec encrypt done
        put packet(6bb87a0) into flush queue.
        remove packet(6bb87a0) out from flush queue.

**** jump to packet:11.1.1.2->11.1.1.1
  packet encapsulated, type=ipsec, len=184
  ipid = 47501(b98d), @02958d60
  out encryption tunnel 40000005 gw:11.1.1.1
  no more encapping needed
  send out through normal path.
  flow_ip_send: b98d:11.1.1.2->11.1.1.1,50 => ethernet0/2(184) flag 0x3000a0, vlan 0
  mac 0010db8d1807 in session
  packet send out to 0010db8d1807 through ethernet0/2

Modification History:
2017-12-07: Article reviewed for accuracy. Corrected links that were not working. Article is correct and complete.
2019-05-22: Added the debug and snoop capture of a working example
Related Links: