{"id":263,"date":"2017-08-13T17:17:13","date_gmt":"2017-08-13T21:17:13","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=263"},"modified":"2017-08-13T17:17:13","modified_gmt":"2017-08-13T21:17:13","slug":"screenos-hub-spoke-vpn-with-mix-of-policy-and-route-spoke-sites","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/screenos\/screenos-hub-spoke-vpn-with-mix-of-policy-and-route-spoke-sites\/","title":{"rendered":"ScreenOS – Hub-Spoke VPN with mix of Policy and Route spoke sites"},"content":{"rendered":"

Product<\/strong>: ScreenOS SSG Series
\nVersion<\/strong>: 6.2 and up<\/p>\n

Network Topology:<\/h2>\n

Network diagram:<\/strong><\/p>\n

Hub and spoke VPN with multiple sites using point to multipoint
\nTwo sites routing VPN with SSG
\nTwo sites Policy VPN with any standards based firewall<\/p>\n

\"\"<\/a><\/p>\n

Description:<\/h2>\n

This hub and spoke setup allows multiple sites on either route or policy based VPN to connect to a common tunnel interface. This uses static routes and NHTB (Next hop Tunnel Binding) to direct traffic in the network. These allow the mixing of SSG and non-SSG policy based VPN on the same hub and spoke network.<\/p>\n

The configuration requires a base setup on the hub location where primary services are connected. Each spoke then has a configuration set to connect and provide these services to the hub. While the hub adds a section for each new spoke that is created in the system.<\/p>\n

    \n
  1. \n
      \n
    1. Configure base services on the hub location. This occurs only once and remains the same no matter how many spokes are added to the system.<\/li>\n
    2. For each spoke there are two sets of configuration<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

       <\/p>\n

        \n
      1. \n
          A)Hub configuration for VPN access to the spoke<\/ol>\n<\/li>\n<\/ol>\n

           <\/p>\n

            B)Spoke configuration settting up basic services and the VPN to the hub<\/ol>\n

            Zone Layout<\/h3>\n

            untrust interface is ethernet0\/0<\/p>\n

            trust interface is bgroup0<\/p>\n

            tunnel.1 interface is in trust zone<\/p>\n

            This zone layout puts all sites and tunnels into the same security zone.\u00a0 No policies need to be created on any device for full communications across the entire core and remote network.\u00a0 This is assuming that intra zone blocking is NOT enabled on any of the firewalls for the trust zone.\u00a0 This is the default behavior for the trust zone. You can change the zone of the tunnel interface to untrust and create policies as needed to allow traffic.<\/p>\n

            Configuration<\/h3>\n

            1. Hub location base configuration: <\/em><\/strong><\/p>\n

            Create VPN tunnel interface<\/p>\n

            set interface tunnel.1 zone Trust
            \nset interface tunnel.1 ip 10.0.0.1\/24<\/p>\n

            2. A. Hub location per spoke configuration: <\/strong><\/em><\/p>\n

            Repeat only these commands for additional spoke sites<\/p>\n

            Create VPN Gateway to spoke<\/p>\n

            set ike gateway SpokeA-GW address 2.2.2.2 Main outgoing-interface “ethernet0\/0” preshare Juniper== sec-level standard
            \nset ike gateway SpokeB-GW address 3.3.3.3 Main outgoing-interface “ethernet0\/0” preshare Juniper== sec-level standard
            \nset ike gateway SpokeC-GW address 4.4.4.4 Main outgoing-interface “ethernet0\/0” preshare Juniper== sec-level standard
            \nset ike gateway SpokeD-GW address 5.5.5.5 Main outgoing-interface “ethernet0\/0” preshare Juniper== sec-level standard<\/p>\n

            Create VPN tunnel bound to tunnel interface<\/p>\n

            SSG tunnels use the remote tunnel interface as the NHTB gateway<\/p>\n

            set vpn SpokeA gateway SpokeA-GW no-replay tunnel idletime 0 sec-level standard
            \nset vpn SpokeA bind interface tunnel.1
            \nset interface tunnel.1 nhtb 10.0.0.2 vpn SpokeA
            \nset vpn SpokeB gateway SpokeB-GW no-replay tunnel idletime 0 sec-level standard
            \nset vpn SpokeB bind interface tunnel.1
            \nset interface tunnel.1 nhtb 10.0.0.3 vpn SpokeA<\/p>\n

            Policy Based Tunnels add the Proxy-id for the connection and the remote router ip for the NHTB gateway<\/p>\n

            set vpn SpokeC gateway SpokeC-GW no-replay tunnel idletime 0 sec-level standard
            \nset vpn SpokeC bind interface tunnel.1
            \nset interface tunnel.1 nhtb 10.0.4.1 vpn SpokeC
            \nset vpn SpokeC proxy-id local-ip 10.0.1.0\/24 remote-ip 10.0.4.0\/24 “ANY”
            \nset vpn SpokeD gateway SpokeD-GW no-replay tunnel idletime 0 sec-level standard
            \nset vpn SpokeD bind interface tunnel.1
            \nset interface tunnel.1 nhtb 10.0.5.1 vpn SpokeD
            \nset vpn SpokeD proxy-id local-ip 10.0.1.0\/24 remote-ip 10.0.5.0\/24 “ANY”<\/p>\n

            Create Static Routes to spoke sites<\/p>\n

            set route 10.0.2.0\/24 interface tunnel.1 gateway 10.0.0.2
            \nset route 10.0.3.0\/24 interface tunnel.1 gateway 10.0.0.3
            \nSSG use the tunnel interface as the gateway
            \nset route 10.0.4.0\/24 interface tunnel.1 gateway 10.0.4.1
            \nset route 10.0.5.0\/24 interface tunnel.1 gateway 10.0.5.1<\/p>\n

            Policy based VPN use the remote LAN router interface as the gateway<\/p>\n

            2. B. Spoke location: <\/strong><\/em><\/p>\n

            All steps on spokes are identical with exceptions noted below. Change the indicated parameters to match the spoke location on the network as each new spoke is added.<\/p>\n

            These only apply the SSG route based VPN sites. The policy sites are configured by the normal standard on the remote equipment.<\/p>\n

            Create VPN tunnel interface<\/p>\n

            set interface tunnel.1 zone Trust
            \nset interface tunnel.1 ip 10.0.0.2\/24
            \n**Change the ip address to match the spoke location<\/p>\n

            Create VPN Gateway to hub<\/p>\n

            set ike gateway Hub-gw address 1.1.1.1 Main outgoing-interface ethernet0\/0 preshare juniper== sec-level standard
            \nCreate VPN tunnel bound to tunnel interface
            \nset vpn Hub gateway Hub-GW no-replay tunnel idletime 0 sec-level standard
            \nset vpn Hub bind interface tunnel.1<\/p>\n

            Create Static route to hub<\/p>\n

            set route 10.0.1.0\/24 interface tunnel.1 gateway 10.0.0.1<\/p>\n

            NHTB is only needed on the hub as each spoke has only one tunnel<\/p>\n

            Verification:<\/h2>\n

            routing table checks<\/p>\n

            Running “get route protocol static” on a spoke should show the routes to the hub with a capital S label. The hub site will show all of the sites with their static routes.<\/p>\n

            get route protocol static
            \nIPv4 Dest-Routes for <untrust-vr> (0 entries)
            \n————————————————————————————–
            \nH: Host C: Connected S: Static A: Auto-Exported
            \nI: Imported R: RIP P: Permanent D: Auto-Discovered
            \nN: NHRP
            \niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
            \nE2: OSPF external type 2 trailing B: backup route
            \nIPv4 Dest-Routes for <trust-vr> (14 entries)
            \n————————————————————————————–
            \nID IP-Prefix Interface Gateway P Pref Mtr Vsys
            \n————————————————————————————–
            \n* 13 10.0.2.0\/24 tun.1 10.0.0.2 S 20 1 Root
            \n* 12 10.0.3.0\/24 tun.1 10.0.0.3 S 20 1 Root
            \n* 11 10.0.4.0\/24 tun.1 10.0.4.1 S 20 1 Root
            \n* 14 10.0.5.0\/24 tun.1 10.0.5.1 S 20 1 Root<\/p>\n

            From the hub site confirm ping to all remote router ip addresses<\/p>\n

            ping 10.0.2.1 from bgroup0
            \nType escape sequence to abort
            \nSending 5, 100-byte ICMP Echos to 192.168.141.1, timeout is 1 seconds from bgroup0
            \n!!!!!
            \nSuccess Rate is 100 percent (5\/5), round-trip time min\/avg\/max=62\/62\/63 ms<\/p>\n

            References:<\/h2>\n

            ScreenOS Concepts & Examples Guides<\/h3>\n

            http:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html<\/a><\/p>\n

            Route based VPN tunnels<\/strong>
            \nVolume 5 Virtual Private Networks
            \nChapter 3 VPN Guidelines
            \nChapter 4 VPN: Sit-to-site VPN Configurations<\/p>\n

            Source Based Routing<\/strong>
            \nVolume 7 Routing
            \nChapter 2 \u2013 Source Based Routing Table<\/p>\n

            Point to multi-point tunnels to share tunnel interfaces<\/strong>
            \nVolume 5 VPN
            \nChapter 7 Advanced VPN Features: Multiple Tunnels per Tunnel Interface<\/p>\n

            Originally Posted May 30, 2011
            \nLast Revised on May 30, 2011<\/p>\n","protected":false},"excerpt":{"rendered":"

            Product: ScreenOS SSG Series Version: 6.2 and up Network Topology: Network diagram: Hub and spoke VPN with multiple sites using point to multipoint Two sites routing VPN with SSG Two sites Policy VPN with any […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-263","post","type-post","status-publish","format-standard","hentry","category-screenos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=263"}],"version-history":[{"count":1,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/263\/revisions"}],"predecessor-version":[{"id":265,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/263\/revisions\/265"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=263"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}