topic Re: VPN between 3 sites in General Topics

VPN between 3 sites

javier.brito — Thu, 07 Jul 2016 04:55:06 GMT

VPN Site to Site

I have communication between site A and site B or site A and Site C, but I have not communication between B y C through A
Site A (headquarters )
Site B (Windows Azure)
Site C (Bank)
The required communication is the site B to contact C through A.

Can you help me please

Re: VPN between 3 sites

reaper — Thu, 07 Jul 2016 09:44:10 GMT

Hi Javier

could you elaborate on what exactly you need assistance ?

did you try setting up a specific configuration which didn't work or are you wondering if it is conceptually possible ?

you can use siteA as a hub by making sure each remote site has routes for the other remote site's subnet pointing at the tunnel interface, and possibly have matching proxyIDs so each site knows it needs to put traffic destined for the other site into the HQ tunnel, then simply set security policies on the HQ site to allow the traffic

Re: VPN between 3 sites

javier.brito — Thu, 07 Jul 2016 13:49:03 GMT

I m sorry accept the solution by mistake

Give me 30 minutes to send more details

Thank you

Re: VPN between 3 sites

javier.brito — Thu, 07 Jul 2016 16:50:38 GMT

I have a VPN between site "B" and site "A" and and it is working properly
I have a VPN between site "C" and site "A" and and it is working properly

The problem was that when you send a ping site "B" to site "C" trough site A it did not responded to this

your comments helped me solve the problem.
I share the details of the solution
Thank you

Site B
Firewall Juniper SSG5
LAN: 192.168.51.0/24

Site C
Firewall: PA200
LAN: 192.168.20.0/20

site A
Firewall: PA 3020
172.16.16.0/20

Routing B
set route 172.16.16.0/20 interface tunnel.1
set route 192.168.20.0/24 interface tunnel.1

Policies B
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "172.16.16.0/20" "ANY"
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "192.168.20.0/24" "ANY"

set policy id 4 from "Untrust" to "Trust" "172.16.16.0/20" "192.168.51.0/20" "ANY"
set policy id 4 from "Untrust" to "Trust" "192.168.20.0" "192.168.51.0/20" "ANY"

Routing C

destination nexthop metric flags age interface next-AS
172.16.16.0/20 0.0.0.0 10 A S tunnel.1
192.168.51.0/24 0.0.0.0 10 A S tunnel.1

Policies C

Site A and B TO site C {
from Untrust;
source [ 172.16.16.0/20 192.168.51.0/24 ];
source-region none;
to Trust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;

Routing A

destination nexthop metric flags age interface next-AS
192.168.51.0/24 0.0.0.0 10 A S tunnel.6
192.168.20.0/24 0.0.0.0 10 A S tunnel.7

Policies A

Site B-Site C {
from untrust;
source 192.168.51.0/24;
source-region none;
to untrust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Site B-Site A {
from untrust;
source 192.168.51.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Site C- Site A {
from untrust;
source 192.168.20.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Re: VPN between 3 sites

pulukas — Sun, 10 Jul 2016 10:49:45 GMT

Is your issue solved? If not:

From what you list here, it looks like the VPN from B will not allow traffic with an ip address of C to enter the tunnel and the same seems to be the case in reverse. Your tunnels only seem to capture traffic for the A subnet to these sites.

There would be two basic options:

1-add the missing subnet to both tunnels (proxy-id pairs) so that traffic will be accepted by the tunnels and forwarded through both. This requries changes to all three VPN setups.

2-NAT the traffic between B and C. On the side where the sesssion is initiated NAT the destination to an available address at site A. On site A NAT this address back to the original for the site and forward it on to the existing tunnel.