Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to configure a policy for a route-based VPN

0

0

Article ID: KB9514 KB Last Updated: 10 Jun 2010Version: 4.0
Summary:

When creating a route-based VPN, sometimes a policy is necessary to allow traffic in/out of the tunnel.  Below are a few configuration examples.

Symptoms:

How do you determine if a policy is required when creating a route-based VPN?

Solution:
Refer to example network diagram below:



When creating a route-based VPN, a policy is sometimes needed to permit/deny traffic in and out of the tunnel. What determines this is based on the security zone that the tunnel interface is assigned to. There are two instances where a policy is necessary:

  1. When the tunnel interface bound to the route-based VPN is assigned to a different zone than the user hosts
  2. When the tunnel interface bound to the route-based VPN is assigned to the same zone as the user hosts AND zone block is enabled.
  3. User hosts, Internet, and Tunnel interface are all in different zones.


Example for instance 1:

In this example, the user hosts are located in the Trust zone and tunnel interface is assigned to the Untrust zone.  Therefore, a policy is necessary to allow traffic in/out of the route-based tunnel since traffic flow is from Trust zone to Untrust zone and vice versa.

set interface ethernet1 zone trust
set interface ethernet1 ip 192.168.10.10/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 172.16.10.1/24
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet3

set address trust "Trust_LAN" 192.168.10.10/24
set address untrust "Remote_LAN" 192.168.20.10/24

set ike gateway "IKE_Name" address 172.16.20.1 main outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha
set vpn "VPN_Name" gateway "IKE_Name" sec-level compatible
set vpn "VPN_Name" bind interface tunnel.1
set policy top from trust to untrust "Trust_LAN" "Remote_LAN" Any permit
set policy top from untrust to trust "Remote_LAN" "Trust_LAN" Any permit
save



Example for instance 2:

In this example, the tunnel interface is assigned to the Trust zone AND zone block is enabled.  Therefore, a policy is necessary to allow traffic in/out of the route-based tunnel even though traffic flow is from trust zone to trust zone.

set zone trust block
set interface ethernet1 zone trust
set interface ethernet1 ip 192.168.10.10/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 172.16.10.1/24
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface ethernet1

set address trust "Trust_LAN" 192.168.10.0/24
set address trust "Remote_LAN" 192.168.20.0/24

set ike gateway "IKE_Name" address 172.16.20.1 main outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha
set vpn "VPN_Name" gateway "IKE_Name" sec-level compatible
set vpn "VPN_Name" bind interface tunnel.1
set policy top from trust to trust "Trust_LAN" "Remote_LAN" Any permit
set policy top from trust to trust "Remote_LAN" "Trust_LAN" Any permit



NOTE : If zone block is unset no policy is required.

Example for instance 3:

Note, the policy should be from the Trust zone to whichever zone that the tunnel interface resides. Thus the policy would have to be from Trust zone to VPN zone (not Trust to Untrust).

set address "Trust" "Local_LAN" 192.168.10.0/24
set address "VPN" "Remote_LAN" 192.168.20.0/24
set policy from "Trust" to "VPN" "Local_LAN" "Remote_LAN" Any permit
set policy from "VPN" to "Trust" "Remote_LAN" "Local_LAN" Any permit

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search