Clicky

Hi Guys,

I need to setup anohter tunnel to our DR site, I have no juniper experience and my boss has thrown this one at me.

We have two subnets, one is on the 7.x network which is our production network and we have 12.x network that is our ISCI network.  Our DR site has the 6.x netowrk  for productions (we have working users at our dr site) and 11.x which is the scsi network which is soley used for replication

What i need to do is create a vpn tunnel that will be able to get the 12.x netowrk and the 11.x network talkiong via the VPN.

Please help!!!!!

asked 11/15/2011 01:54

Anf_1984's gravatar image

Anf_1984 ♦♦


15 Answers:
Dou you have a VPN for the production networks already? If so, it is best to just replicate the setup for the SCSI networks. Though I have my doubts that is a good idea to have DR info exchanged via VPN ...
link

answered

Qlemo's gravatar image

Qlemo

You can use the same tunnel interface as the working VPN. THen simply create a new VPN gateway and autokeyIKE with the orginal tunnel interface as the vpn target. Then in the tunnel interface, edit the settings and choose NHTB (Next hop tunnel binding) this will allow you to specify which subnet is at the end of each VPN therefore keeping the traffci going in the right direction. Lastly you need to create route statements pointing the remote networks to the tunnel interface the vpn is using.

Thanks
link

answered 2011-11-16 at 01:39:12

sangamc's gravatar image

sangamc

Thanks I'll give it a shot
link

answered 2011-11-16 at 07:20:55

Anf_1984's gravatar image

Anf_1984

where do i create the vpn gateway?
link

answered 2011-11-16 at 12:46:54

Anf_1984's gravatar image

Anf_1984

From the webui goto

      VPNs > AutoKey Advanced > Gateway

There should already be a gateway defined for your existing VPN that you can use for reference.
link

answered 2011-11-16 at 13:39:09

sangamc's gravatar image

sangamc

THANKS WHERE IS Next hop tunnel binding) LOCATED?
link

answered 2011-11-16 at 13:47:06

Anf_1984's gravatar image

Anf_1984

In the interface properties of your tunnel interface you have NHTB at the top (where "Basic", "MIP" , "DIP" aso. are displayed as links).
NTHB-SSG.PNG
  • 15 KB
  • Location of NHTB option
NTHB-SSG.PNG

You will only see that with tunnel interfaces. See http://help.juniper.net/help/english/6.3.0/nhtb_list_edit_cnt.htm for an explanation.
You need to enter the remote gateway IP, and choose the appropriate VPN gateway entry for it. The remote gateway is the same as you have used in your routing table, that is a 11.x address on your 12.x site.
    link

    answered 2011-11-16 at 14:14:47

    Qlemo's gravatar image

    Qlemo

    I dont have that option. Attached.
    Capture.PNG
    • 2 KB
    • Screenshot
    Capture.PNG
      link

      answered 2011-11-16 at 15:45:22

      Anf_1984's gravatar image

      Anf_1984

      The option doesnt become available until you bind the VPN to the tunnel interface from VPNs > AutoKey IKE > Edit (VPN)
      link

      answered 2011-11-16 at 19:12:30

      sangamc's gravatar image

      sangamc

      what option are you referring to?
      link

      answered 2011-11-16 at 20:27:49

      Anf_1984's gravatar image

      Anf_1984

      Ahh i see what you mean, click on advanced and in the middle of the page there is a section where you bind the VPN to the tunnel interface it will be using.

      This link gives the best summary of the steps with Pcitures. Please ignore the proxy-ID section unless you have a specific reason for using it.

      http://www.fir3net.com/Juniper-Netscreen/netscreen-creating-a-route-based-vpn.html
      link

      answered 2011-11-16 at 20:31:03

      sangamc's gravatar image

      sangamc

      I change the source interface and save if but it keeps going to default. Im assuming that the default is the one that is selected. thats ok but why am i not seeing the NHTB option.

      thanks
      link

      answered 2011-11-16 at 20:41:35

      Anf_1984's gravatar image

      Anf_1984

      Leave the source interface alone. That section is for VPN monitoring (keep the tunnel up all time, or mark it as failing).
      As said, you see the NHTB option in your tunnel interface settings as soon as you have bound it to a VPN.
      link

      answered 2011-11-16 at 20:49:53

      Qlemo's gravatar image

      Qlemo

      i try to but get this error

       
        link

        answered 2011-11-17 at 01:23:22

        Anf_1984's gravatar image

        Anf_1984

        You should choose a tunnel interface with (1). You have checked "Tunnel Interface", but not set up that one (dropdown is "none"). You should have an interface called tunnel.### (with ### as a number). That tunnel interface has been created earlier with the "main" VPN.
        link

        answered 2011-11-17 at 13:40:55

        Qlemo's gravatar image

        Qlemo

        Your answer
        [hide preview]

        Follow this question

        By Email:

        Once you sign in you will be able to subscribe for any updates here

        By RSS:

        Answers

        Answers and Comments

        Tags:

        Asked: 11/15/2011 01:54

        Seen: 195 times

        Last updated: 12/06/2011 09:43