{"id":258,"date":"2017-08-13T17:14:03","date_gmt":"2017-08-13T21:14:03","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=258"},"modified":"2017-08-13T17:14:03","modified_gmt":"2017-08-13T21:14:03","slug":"screenos-remote-site-uses-vpn-to-core-site-for-internet-access","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/screenos\/screenos-remote-site-uses-vpn-to-core-site-for-internet-access\/","title":{"rendered":"ScreenOS &#8211; Remote Site Uses VPN to Core Site for Internet Access"},"content":{"rendered":"<p><strong>Product<\/strong>: ScreenOS SSG Series<br \/>\n<strong>Version<\/strong>: 6.0 and up<\/p>\n<h2>Network Topology:<\/h2>\n<p><strong>Network diagram:<\/strong><\/p>\n<p>Two sites connect via IPEC VPN across the internet. The internet requests from the remote site are forwarded down the VPN tunnel to the core site and uses the core site internet access connection.<\/p>\n<p><a href=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ForceInternetDownVPN.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-259\" src=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ForceInternetDownVPN-300x171.jpg\" alt=\"\" width=\"300\" height=\"171\" srcset=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ForceInternetDownVPN-300x171.jpg 300w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ForceInternetDownVPN-768x439.jpg 768w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ForceInternetDownVPN-1024x585.jpg 1024w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ForceInternetDownVPN.jpg 1213w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h2>Description:<\/h2>\n<p>Each site has internet access to establish the VPN connection. But all browsing from client machines on the remote site are directed to the core site. The process uses source based routing to force all requests from the remote LAN down the VPN to the core site gateway. On arrival at the core site the source address needs to be translated to a local core site LAN ip and then forwarded for internet access.<\/p>\n<p>The process utilizes IPSEC VPN in route mode, source based routing and address translation.<\/p>\n<ol>\n<li>Create an IPSEC VPN between sites<\/li>\n<li>Configure source routing on the remote site<\/li>\n<li>Configure the address translation for the remote LAN on the core site<\/li>\n<\/ol>\n<h3>Zone Layout<\/h3>\n<p>untrust interface is ethernet0\/0<\/p>\n<p>trust interface is bgroup0<\/p>\n<p>tunnel.1 interface is in trust zone<\/p>\n<p>This zone layout puts all sites and tunnels into the same security zone.\u00a0 No policies need to be created on any device for full communications across the entire core and remote network.\u00a0 This is assuming that intra zone blocking is NOT enabled on any of the firewalls for the trust zone.\u00a0 This is the default behavior for the trust zone. You can change the zone of the tunnel interface to untrust and create policies as needed to allow traffic.<\/p>\n<h3>Configuration<\/h3>\n<p><strong><em>1. Create IPSEC VPN Between Sites <\/em><\/strong><\/p>\n<p>Create the tunnel.1 interface on each site as unnumbered and associated with bgroup0. This is the same on both sites.<\/p>\n<p><strong>CLI<\/strong><br \/>\nset interface tunnel.1 zone Trust<br \/>\nset interface tunnel.1 ip unnumbered interface bgroup0<br \/>\nSet routes to these tunnel interfaces for each site<\/p>\n<p><strong>CLI<br \/>\nCore site<\/strong><br \/>\nset route 10.0.2.0\/24 interface tunnel.1 gateway 10.0.2.1<br \/>\nRemote Site<br \/>\nset route 10.0.1.0\/24 interface tunnel.1 gateway 10.0.1.1<\/p>\n<p><strong>WEB<br \/>\nCore site<\/strong><br \/>\nNetwork \u2013 Routing \u2013 Destination<br \/>\nNew button<br \/>\n10.0.2.0\/24<br \/>\ninterface tunnel.1<br \/>\ngateway 10.0.2.1<\/p>\n<p><strong>Remote Site<\/strong><br \/>\nNetwork-Routing \u2013 Destination<br \/>\nNew button<br \/>\n10.0.1.0\/24<br \/>\ninterface tunnel.1<br \/>\nGateway 10.0.1.1<\/p>\n<p><strong>WEB<\/strong><br \/>\nNetwork \u2013 Interfaces \u2013 List<br \/>\nNew tunnel interface in the upper right<br \/>\nTrust zone<br \/>\nUnnumbered with the bgroup0 interface<br \/>\nCreate the VPN gateways<\/p>\n<p><strong>CLI<\/strong><br \/>\n<strong>Core Site<\/strong><br \/>\nset ike gateway Remote-GW address 2.2.2.2 Main outgoing-interface ethernet0\/0 preshare juniper sec-level standard<\/p>\n<p><strong>Remote Site<\/strong><br \/>\nset ike gateway Core-GW address 1.1.1.1 Main outgoing-interface ethernet0\/0 preshare juniper sec-level standard<\/p>\n<p><strong>WEB<br \/>\nCore Site<\/strong><br \/>\nVPNs \u2013 AutoKey Advanced \u2013 Gateway<br \/>\nCreate new gateway<br \/>\nName Remote-GW<br \/>\nIP: 2.2.2.2<br \/>\nAdvanced button<br \/>\nPreshared key: juniper<br \/>\nOutgoing interface ethernet0\/0<\/p>\n<p><strong>Remote Site<\/strong><br \/>\nVPNs \u2013 AutoKey Advanced \u2013 Gateway<br \/>\nCreate new gateway<br \/>\nName Core-GW<br \/>\nIP: .1.1.1.1<br \/>\nAdvanced button<br \/>\nPreshared key: juniper<br \/>\nOutgoing interface ethernet0\/0<br \/>\nCreate AutoKey IKE Objects<\/p>\n<p><strong>Core Site<br \/>\nCLI<\/strong><br \/>\nset vpn Remote gateway Remote-GW sec-level standard<br \/>\nset vpn Remote bind interface tunnel.1<\/p>\n<p><strong>WEB<\/strong><br \/>\nVPNs \u2013 AutoKey IKE<br \/>\nCreate New<br \/>\nName Remote<br \/>\nAssociated gateway Server-GW<br \/>\nAdvanced button<br \/>\nTunnel interface tunnel.1<\/p>\n<p><strong>Remote Site<br \/>\nCLI<\/strong><br \/>\nset vpn Core gateway Core-GW sec-level standard<br \/>\nset vpn Core bind interface tunnel.1<\/p>\n<p><strong>WEB<\/strong><br \/>\nVPNs \u2013 AutoKey IKE<br \/>\nCreate New<br \/>\nName Core<br \/>\nAssociated gateway Core-GW<br \/>\nAdvanced button<br \/>\nTunnel interface tunnel.1<\/p>\n<p><em><strong>2. Configure Source Routing on Remote Site<\/strong><\/em><\/p>\n<p>Enable source routing on the trust virtual router<\/p>\n<p><strong>CLI<\/strong><br \/>\nset source-routing enable<\/p>\n<p><strong>WEB<\/strong><br \/>\nNetwork \u2013 Routing \u2013 Virtual Routers (edit trust-vr)<br \/>\nCheck box &#8211; Enable Source Based Routing<br \/>\nCreate a rule to forward all LAN traffic down the VPN tunnel<\/p>\n<p><strong>CLI<\/strong><br \/>\nset route source 10.0.2.0\/24 interface tunnel.1 gateway 10.0.1.1<\/p>\n<p><strong>WEB<\/strong><br \/>\nNetwork \u2013 Routing \u2013 Source (new button upper right)<br \/>\nNetwork: 10.0.2.0\/24<br \/>\nInterface: tunnel.1<br \/>\nGateway: 10.0.1.1<\/p>\n<p><em><strong>3. Configure the address translation for the remote LAN on the core site <\/strong><\/em><\/p>\n<p>Create a standard web access policy from trust to untrust using policy based source nat.<\/p>\n<p><strong>CLI<\/strong><br \/>\nset policy from Trust to Untrust Any Any ANY nat src permit log<\/p>\n<p><strong>WEB<\/strong><br \/>\nPolicy \u2013 Policies<br \/>\nSelect trust to untrust (new button upper right or edit the existing general policy)<br \/>\nSource: any<br \/>\nDestination: any<br \/>\nAction: permit<br \/>\nLogging: checked<br \/>\nAdvanced button<br \/>\nSource translation: checked for egress interface<\/p>\n<h2>Verification:<\/h2>\n<p>Confirm internet access on remote site and observe translations in the policy log on the core site.<\/p>\n<h2>References:<\/h2>\n<h3>ScreenOS Concepts &amp; Examples Guides<\/h3>\n<p><a href=\"http:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html\">http:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html<\/a><\/p>\n<p><strong>Route based VPN tunnels<\/strong><br \/>\nVolume 5 Virtual Private Networks<br \/>\nChapter 3 VPN Guidelines<br \/>\nChapter 4 VPN: Sit-to-site VPN Configurations<\/p>\n<p><strong>Source Based Routing<\/strong><br \/>\nVolume 7 Routing<br \/>\nChapter 2 \u2013 Source Based Routing Table<\/p>\n<p><strong>Network Address Translation <\/strong><br \/>\nVolume 8 Address Translation<br \/>\nChapter 2<\/p>\n<p>Originally Posted May 22, 2011<br \/>\nLast Revised on May 22, 2011<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product: ScreenOS SSG Series Version: 6.0 and up Network Topology: Network diagram: Two sites connect via IPEC VPN across the internet. The internet requests from the remote site are forwarded down the VPN tunnel to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-258","post","type-post","status-publish","format-standard","hentry","category-screenos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=258"}],"version-history":[{"count":1,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/258\/revisions"}],"predecessor-version":[{"id":260,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/258\/revisions\/260"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=258"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}