VPN with MIP

  • One of our customer is having a request to do a MIP on the tunnel. Meaning he don’t want the remote network aware of the server real IP.

    Remote VPN :
    Local ID >
    Remote ID >

    Local VPN :
    Local ID > (with a MIP > to
    Remote ID >

    Is that possible??

  • Let;s go back to one of the first post. I saw MIP(someting) in policies for twho direction. That’s incorrect I’m afraid. You always define the MIP on the outwardfacing interface. Then you just define src to any from inside to outside and from src (or any) to MIP(somthing) from outside to inside.

  • Add a static route in the untrust VR with nexthop trust-vr, that should work.

  • actually i’ve done that…

    now it seems that…from local LAN can access to remote LAN, but not from remote LAN to local LAN…

    and im suspecting is the route that causing this…(coz im using trust-vr and untrust-vr), and i think that causes the complexity…i can stick to one vr…coz it has been running for quite some time…

    can you just let me know what should be the correct route be?

    numbered tunnel if (untrust zone)
    MIP on this interface

  • I’m sorry to drop in, but this isn’t looking good. Yout filtering on as a source but the debug says it’s used as the nexthop on a destination….

    NHTB BTW stands fot next hop tunnel binding, the way to deal woth multiple VPN on a singel tunnel interface.

    When I understand your question you want to NAT in the tunnel. Easy way to do this:

    Use a numberd tunnel interface.
    Define a MIP on this interface
    Use this mip as destination in your policy

  • one of the message is “## 2007-10-29 15:07:41 : NHTB entry search not found: vpn none tif tunnel.1 nexthop”

    when im debugging “set ff src-ip dst-ip”…

    what does that means?

  • Sounds like it’s time to figure out what’s happening with the packets…the debug should give you some information.  One thing it could be is if the other side does not have a route back to your presented network.

    set ff src-ip dst-ip
    set ff src-ip dst-ip
    set ff src-ip dst-ip
    clear db
    debug flow basic
    — send some packets —
    undebug all
    get db stream

    Should give you some clues as to what’s happening.

  • the tunnel is up…meaning the proxy id is the same …

  • Does the other side of the vpn have a matching proxy id set?

  • i’ve added the route, but it doesnt seems to work…

    the tunnel is up…but nothing is shown on the policy (meaning no traffic)…

    set vrouter untrust-vr
    set route interface tunnel.2 gateway x.x.x.x preference 20 permanent
    set vrouter trust-vr
    set route vrouter untrust-vr

  • You need it…it’s just whether or not you need to add the gateway.  With a single vpn on the tunnel interface you don’t need to specify the gateway but it doesn’t hurt.

  • meaning i need to have the tunnel.2 route or no need?

  • You bet, it that’s your only vpn in tunnel.2 then it will work just fine.

  • thanks for the sample config…

    but im just wondering on the route to the LAN, shouldnt it be route to the tunnel.2 ??

  • Here’s an example based off of your code sample…this config will setup a route-based vpn between your firewall and x.x.x.x gateway.  The vpn is setup with proxy-id’s (tunnel policy) that allow (your virtual address) to, it’s then limited further by firewall policy to the individual hosts.  The configuration will map all traffic from your internal host on to the virtual address across the tunnel.

    set zone untrust
    set zone trust
    set zone untrust vrouter untrust-vr
    set interface ethernet1/2 zone untrust
    set interface ethernet1/4 zone trust
    set interface ethernet1/2 ip
    set interface ethernet1/2 route
    set interface ethernet1/4 ip
    set interface ethernet1/4 route
    set interface loopback.1 zone untrust
    set interface loopback.1 ip
    set interface loopback.1 route
    set interface tunnel.2 ip unnumbered interface ethernet1/2
    set ike gateway “VPN-tunnel” address x.x.x.x Main outgoing-interface “ethernet1/2” preshare “secret” proposal "pre-g2-3des-md5"
    set vpn “VPN-tunnel” bind interface tunnel.2
    set vpn “VPN-tunnel” proxy-id local-ip remote-ip "ANY"
    set vrouter untrust-vr
    set route interface tunnel.2 gateway x.x.x.x preference 20 permanent
    set vrouter trust-vr
    set route vrouter untrust-vr
    set interface “tunnel.2” mip host netmask vr "untrust-vr"
    set policy from “trust” to “untrust”  “” “” “ANY” permit log
    set policy from “untrust” to “trust”  “” “MIP(” “ANY” permit log

    Again, this is just one method that can be used as I’m sure there are others.  Hope this helps…regards.

  • erm…i dont quite understand…

    can show an example ??

  • If you want to use a MIP, it’s necessary.  The address used in a MIP must reside in a local network on the firewall….since it’s a virtual address you want to create, you create a virtual interface for it to reside in.

  • izzit necessary to create a loopback ip ??

    cant i use the existing config without the loopback ip??

  • This also can be done by using a loopback interface……see example below.

    -  Create a loopback interface in same zone as your Tunnel interface

    set interface “loopback.1” zone “Untrust”

    -  Use network of the addresses you want to present

    set interface loopback.1 ip
    set interface loopback.1 route

    -  Setup MIP in Tunnel Interface for virtual address to actual address

    set interface “tunnel.1” mip host netmask

    -  Make sure the policy (Untrust to Trust) allows traffic to the MIP object directly

    set policy id 2 from “Untrust” to “Trust” “RemoteNet” “MIP(” “ANY” permit

    -  Make sure your proxy-id’s are using the virtual network for Local-IP

    set vpn “VPN-1” proxy-id local-ip remote-ip “ANY”

  • since you’ve a similar config, do you mind to share??

    i cant test now, coz everyone is not in the office yet…

    i just wanna make sure the config is okie…and i can troubleshoot on other thing…