Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Route-Based VPN is up, but, not passing traffic

0

0
Article ID: KB5352 KB Last Updated: 21 Dec 2017Version: 8.0 Summary:
The Route-Based VPN is not working, even though Phase 1 and 2 negotiations are complete.  A route is required to reach a remote network across a site-to-site VPN via a tunnel interface. Confirm a route has been created to the tunnel interface for the VPN. 
Symptoms:
Environment:
Route based VPN

Symptoms and errors:
  • Phase 1 IKE cookies established.
  • Phase 2 SA established.
  • VPN is not working.
  • No traffic goes through the VPN.
Solution:

Make sure to provide a route to the destination VPN network through the tunnel interface associated with the VPN .

 
Example:

Two sites with SSG140 at each end. One site has the internal network address as 192.168.1.0. The remote network address is 10.1.1.0:
  
 
At Site A:
 
  1. Create a tunnel interface. The VPN traffic will be routed via this tunnel interface.

  2. A static route has to be added, so that the firewall will know how to route the packet that is destined for the 10.1.1.0/24 network.  
 


At Site B:

Similarly, for the traffic that is initiated from the remote end and is arriving on the 192.168.1.0/24 network:

 

  1. Create a tunnel interface (for example, tunnel.2). The VPN traffic will be routed via this tunnel interface
  2.  A static route has to be added, so that the firewall will know how to route the packet that is destined for the 192.168.1.0/24 network.

For Site A (via the WebUI):
 
  1. Go to Network > Routing > Destination (or Routing Entries).

  2. Select the appropriate Virtual Router.

  3. Click New.

  4. Network Address: 10.1.1.0

  5. Netmask: 255.255.255.0

  6. Click the Gateway button.

  7. Interface: tunnel.1

  8. Gateway IP Address: IP address of Internet router

  9. Click OK.

Via the CLI:

set vrouter trust-vr route 10.1.1.0/24 interface tunnel.1 [Enter]

For Site B (via the WebUI):
 
  1. Go to Network > Routing > Destination (or Routing Entries).

  2. Select the appropriate Virtual Router.

  3. Click New

  4. Network Address: 192.168.1.0

  5. Netmask: 255.255.255.0

  6. Click  theGateway button.

  7. Interface: tunnel.2

  8. Gateway IP Address: IP address of Internet router

  9. Click OK.

Via the CLI:
set vrouter trust-vr route 192.168.1.0/24 interface tunnel.2 [Enter]
 
To verify the route, refer to KB4435 - How Do I Verify a Route to the Virtual Router?
Modification History:
2017-12-07: Article reviewed for accuracy. Removed mention of End of Life devices. Article is correct and complete.

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search