O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

10.3. Route-Based IPSec Tunneling with Static Peers and Static Routes

Problem

You need to provide secure, encrypted traffic between two sites while enforcing firewall rules using a route-based configuration. These two sites have static IP addresses.

Solution

Create VPN configurations on each device using tunnel interfaces and policies.

Hub site configuration

For the hub site configuration, first create address entries for local and remote subnets:

	Corp-VPN-Hub-> set address trust local_lan 10.140.10.0/24
	Corp-VPN-Hub->set address vpn denton_lan 10.70.1.0/24

Then, create the zone and interface:

	Corp-VPN-Hub-> set zone name vpn
	Corp-VPN-Hub-> set interf tun.10 zone vpn
	Corp-VPN-Hub->set interface tun.10 ip unnumbered interface eth0/3

Now, configure routes to use the tunnel for the destination subnet:

	Corp-VPN-Hub-> set route 10.70.1.0/24 interface tun.10

Next, configure the VPN Phase-1 and Phase-2 parameters:

	Corp-VPN-Hub-> set ike gateway denton address 10.0.1.71 main outgoing-
	               Interface eth0/3 preshare juniper123 sec-level standard
	Corp-VPN-Hub-> set vpn denton gateway denton sec-level standard
	Corp-VPN-Hub->set vpn denton bind interface tun.10

Enable the VPN monitor and rekey options:

	Corp-VPN-Hub-> set vpn denton monitor rekey

Finally, create the bidirectional policies:

	Corp-VPN-Hub-> set policy from trust to vpn local_lan denton_lan any
	               permit policy id = 5
	Corp-VPN-Hub-> set pol from vpn to trust denton_lan local_lan any
	               permit policy id = 6
	Corp-VPN-Hub->setave

Remote site configuration ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required