Knowledge Search


×
 

[ScreenOS] LAN to LAN VPN between two Juniper firewalls where one or both devices are in the Transparent mode

  [KB5822] Show Article Properties


Summary:
VPN terminates at the Juniper firewall (ScreenOS) in Transparent mode. How to configure a Virtual Private Network (VPN) between two Juniper firewalls in Transparent mode.
Symptoms:
How is a VPN configured between two Juniper firewalls in Transparent mode?

This example will be based on a VPN between two SSG140s: However, this configuration is valid with all devices that run ScreenOS 5.x and 6.x.



Assumptions:
 
  • The firewalls at Site A and Site B are in the transparent mode and connected to the Internet.

  • The internal network on the firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1 and the VLAN1 IP address of the firewall is 1.1.1.50.

  • The internal network on the firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1 and the VLAN1 IP address of the firewall is 1.1.2.50.

  • Assuming that both P1 and P2 are using the standard security level, the Preshare key for P1 is netscreen and Replay Protection is disabled.
Solution:
When the security device interfaces are in the transparent mode (that is, they have no IP addresses and are operating at Layer 2 in the OSI Model), you can use the VLAN1 IP address as a VPN termination point. In place of an outgoing interface, as used when the interfaces are in route or NAT mode (that is, they have IP addresses and are operating at Layer 3), a VPN tunnel references an outgoing zone. By default, a tunnel uses the V1-Untrust zone as its outgoing zone. If you have multiple interfaces bound to the same outgoing zone, the VPN tunnel can use any one of them.

A security device whose interfaces are in transparent mode supports only policy-based VPNs.

To configure a policy-based AutoKey IKE tunnel for a security device, whose interfaces are in the transparent mode, perform the following procedure:
  1. Verify if the VLAN1 interface has a IP address and Manage IP address.
  2. Type the IP addresses for the local and remote endpoints in the address books for the V1-Trust and V1-Untrust zones.
  3. Configure the VPN tunnel and designate its outgoing zone as the V1-Untrust zone.
  4. Type a default route to the external router in the trust-vr.
  5. Set up policies for VPN traffic to pass between each site.

It is not necessary that the interfaces of both of the security devices have to be in the transparent mode. The interfaces of the device at one end of the tunnel can be in the transparent mode and those of the other device can be in the route or NAT mode. This means it is possible that one of the peers is operating in the Layer 3 or Route/NAT mode and the other peer is in the Layer 2/Transparent mode.

Note:
  • You cannot configure some interfaces in the NAT or Route mode (L3 mode) and some interfaces in the transparent mode (L2 mode) on the same device.
  • ScreenOS will let you configure it; but this configuration is not supported.
  • This is also applicable to a VSYS. You cannot have one VSYS in the L2 mode and another in the L3 mode. For more information, refer to KB6224  - Can you combine NAT/Route (L3) mode and transparent (L2) mode on a single firewall?
  • Additionally, with the Transparent mode, the firewall needs a static route to reach the remote IPsec gateway.

Site A Configuration details:

Define address objects:

 
WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-B
    * IP Address/Netmask: 1.1.2.0/24

Choose V1-Trust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-A
    * IP address/Netmask: 1.1.1.0/24


CLI:
set address v1-trust lan-A 1.1.1.0/24
set address v1-untrust lan-B 1.1.2.0/24



Define IKE gateway (Phase 1)


WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toB
  •   Security Level: Standard
  •   Static IP Address: 1.1.2.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toB address 1.1.2.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard



Define IPSec VPN (Phase 2)


 

WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toB
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toB

CLI:
set vpn toB gateway toB sec-level standard



Define policy


WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1 Untrust
Enter following and click OK
  •   Source Address: Address Book Entry, lan-A
  •   Destination Address: Address Boot Entry, lan-B
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toB
  •   Modify matching bidirectional VPN policy: check

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-A lan-B any tunnel vpn toB
set policy id 1001 from v1-untrust to v1-trust lan-B lan-A any tunnel vpn toB pair-policy 1000



Define static route


 
WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.1.1
 
CLI:
set route 0.0.0.0/0 gateway 1.1.1.1

 


Site B Configuration details:
--------------------------------------

Define address objects


 
WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-A
  •     IP Address/Netmask: 1.1.1.0/24
Choose V1-Trust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-B
  •     IP address/Netmask: 1.1.2.0/24

CLI:
set address v1-trust lan-B 1.1.2.0/24
set address v1-trust lan-A 1.1.1.0/24



Define IKE gateway (Phase1)


 
WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toA
  •   Security Level: Standard
  •   Static IP Address: 1.1.1.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toA address 1.1.1.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard


Define IPSec VPN (Phase 2)


 
WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toA
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toA

CLI:
set vpn toA gateway toA sec-level standard

Define policy


 
WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1-Untrust

Enter following and click OK

  •   Source Address: Address Book Entry, lan-B
  •   Destination Address: Address Boot Entry, lan-A
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toA
  •   Modify matching bidirectional VPN policy: check

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-B lan-A any tunnel vpn toA
set policy id 1001 from v1-untrust to v1-trust lan-A lan-B any tunnel vpn toA pair-policy 1000



Define static route


 
WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.2.1
CLI:
set route 0.0.0.0/0 gateway 1.1.2.1

 


Technical Documentation

A Transparent mode VPN example is also included in the Technical Documentation:

ScreenOS  Concepts & Examples ScreenOS Reference Guide, Volume 5:  Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Transparent Mode VPN” Example

 

ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf  (Page 149 onwards)

ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/ce_v5.pdf  (Page 151 onwards)

ScreenOS 6.2: http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/ce_v5.pdf  (Page 163 onwards)

ScreenOS 6.3: http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf  (Page 158 onwards)
Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.
Related Links: