{"id":1884,"date":"2014-03-30T08:56:19","date_gmt":"2014-03-30T06:56:19","guid":{"rendered":"http:\/\/www.extradrm.com\/?p=1884"},"modified":"2018-12-04T15:03:42","modified_gmt":"2018-12-04T13:03:42","slug":"1884","status":"publish","type":"post","link":"http:\/\/www.extradrm.com\/?p=1884","title":{"rendered":"How to Create a VPN tunnel with Juniper"},"content":{"rendered":"<p>This tutorial explains a quick setup to create a <strong>VPN tunnel<\/strong> between <strong>2 junipers NS5GT<\/strong> devices. Basics are all the same and can be found in pretty much the same spot on different devices. Here are given values:<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Site A:<\/strong><\/span><br \/>\nWAN IP: 8.8.8.1\/27<br \/>\nLAN IP: 10.10.0.0\/22<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Site B:<\/strong><\/span><br \/>\nWAN IP: 8.8.9.1\/26<br \/>\nLAN IP: 192.168.36.0\/24<\/p>\n<p>Steps are identical on both devices, except when you will have to enter WAN and LAN info. So basically you will have to follow the steps below on both devices. I am going to start with the device installed in Site A:<\/p>\n<ol>\n<li>Expand Policies \u2013 Policy Elements \u2013 Addresses and click on List.<\/li>\n<li>With Untrust zone selected, click New.<\/li>\n<li>Give your site a name and Enter LAN information for Site B in IP box (Site A for device installed in Site B): <a title=\"Linkification: http:\/\/192.168.36.0\/24\" href=\"http:\/\/192.168.36.0\/24\" target=\"_blank\" rel=\"noopener\">192.168.36.0\/24<\/a>. If you don\u2019t know what \/24 means simply enter your subnet mask in its entirety (255.255.255.0). Leave zone as Untrust and click OK.<\/li>\n<li>Now in Addresses screen, select Trust from pull down menu and hit New. Then enter LAN info for the site in which your device is installed (Site A, Site B for device installed in Site B). Same procedure as step 3 above.<\/li>\n<li>Expand VPNs \u2013 AutoKey Advanced and click on Gateway.<\/li>\n<li>Click New.<\/li>\n<li>Give your Gateway a name, enter Site B WAN address (Site A for device installed in Site B): <a title=\"Linkification: http:\/\/8.8.9.1\/26\" href=\"http:\/\/8.8.9.1\/26\" target=\"_blank\" rel=\"noopener\">8.8.9.1\/26<\/a>. Leave everything else alone, then click Advanced.<\/li>\n<li>Enter a preshared key. That\u2019s basically a password to secure communications between the VPN devices. This password should be the same for both Sites A and B.<\/li>\n<li>Select your local interface on which your VPN tunnel will operate, which is your WAN port. If you\u2019re not sure which port is your WAN, expand Network \u2013 Interfaces and click List. Interface assigned to your public IP is the one you need.<\/li>\n<li>The simplest tunnel will be Predefined, Standard. For more complicated algorithm you can select User Defined, Custom. Since it\u2019s a quick and dirty tutorial we are going to use Predefined.<\/li>\n<li>Click Return to go back, then click OK.<\/li>\n<li>Under the same menu (VPNs) click on AutoKey IKE.<\/li>\n<li>Click New.<\/li>\n<li>Give your VPN a name, like \u201cSite A to Site B\u201d.<\/li>\n<li>You should now see \u201cSite B\u201d in Predefined Remote Gateway box \u2013 select it.<\/li>\n<li>Leave everything else in that screen alone and click Advanced.<\/li>\n<li>If you want VPN monitoring check the box VPN Monitor towards the bottom of the screen. Hit return and then OK.<\/li>\n<\/ol>\n<p>At this point our VPN tunnel is complete. However, to allow access from one site to the other, <strong>we will have to create a policy<\/strong>.<\/p>\n<ol>\n<li>Expand Policy and click on Policies.<\/li>\n<li>At top, for \u201cFrom\u201d field select Untrust and for \u201cTo\u201d select Trust from the pull down menus, then hit New.<\/li>\n<li>Give your policy a name (optional).<\/li>\n<li>In Source Address, select Site B from pull down menu (Site A for device installed in Site B).<\/li>\n<li>In Destination, select Site A (Site B for device installed in Site B).<\/li>\n<li>In action, select Tunnel.<\/li>\n<li>In Tunnel, select the VPN name you chose in step 14 above.<\/li>\n<li>If you want to allow bi-directional access, check the box next to Modify matching bidirectional VPN. Leave that box unchecked if you\u2019d like to have a one way policy to allow access from Site A to B, but not the other way around.<\/li>\n<li>If you want to enable logging, check the appropriate box.<\/li>\n<li>Click OK.<\/li>\n<\/ol>\n<p>Now, you\u2019re done. Once you complete the steps in both sites you should be able to ping Site B computers from Site A and vice versa!<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Some extra Tips :<\/strong><\/span><\/p>\n<p><strong>1- Do not forget Allow ping<\/strong> and optionally ssh and http between data networks.<\/p>\n<p>2- Sometimes, You will still need a trust relationship between multiple networks (between 2 sites) as your remote site does not know about the existence of the 2nd subnet, but you can use the existing tunnel between the sites. Did you use a tunnel to create a policy or only created a permit policy? <strong>Permit won\u2019t work in policy based tunneling\u2026 it has to be a tunnel policy<\/strong>. Create an untrust network for 10.10.10.0 and then create a tunnel policy like this :<\/p>\n<p><a href=\"http:\/\/www.extradrm.com\/wp-content\/uploads\/2014\/03\/juniper-policy.jpg\"><img loading=\"lazy\" class=\"aligncenter size-medium wp-image-1889\" src=\"http:\/\/www.extradrm.com\/wp-content\/uploads\/2014\/03\/juniper-policy-263x300.jpg\" alt=\"juniper-policy\" width=\"263\" height=\"300\" srcset=\"http:\/\/www.extradrm.com\/wp-content\/uploads\/2014\/03\/juniper-policy-263x300.jpg 263w, http:\/\/www.extradrm.com\/wp-content\/uploads\/2014\/03\/juniper-policy.jpg 352w\" sizes=\"(max-width: 263px) 100vw, 263px\" \/><\/a><\/p>\n<p>3- Useful links :<\/p>\n<p><a title=\"Juniper Guide\" href=\"http:\/\/www.trapezenetworks.com\/us\/en\/training\/elearning\/ssg5-20\/content\/shell.htm\" target=\"_blank\" rel=\"noopener\">http:\/\/www.trapezenetworks.com\/us\/en\/training\/elearning\/ssg5-20\/content\/shell.htm<\/a><\/p>\n<p><a title=\"Juniper Firewall Basic configuration\" href=\"http:\/\/www.youtube.com\/watch?v=3PuPWQY_fcs\" target=\"_blank\" rel=\"noopener\">http:\/\/www.youtube.com\/watch?v=3PuPWQY_fcs<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tutorial explains a quick setup to create a VPN tunnel between 2 junipers NS5GT devices. Basics are all the same and can be found in pretty much the same spot on different devices.&#46;&#46;&#46;<\/p>\n","protected":false},"author":1,"featured_media":2838,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[279,278],"tags":[280,281,282],"youtube_video":null,"_links":{"self":[{"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/posts\/1884"}],"collection":[{"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1884"}],"version-history":[{"count":0,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/posts\/1884\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=\/wp\/v2\/media\/2838"}],"wp:attachment":[{"href":"http:\/\/www.extradrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1884"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.extradrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}