Vpn between headquater and branches with one internet access

  • hello,

    i want to make a scenario where an ssg-cluster is in the headquarter (with utm-bundle) and the branches should be connected via vpn and use the internet-access from the headquarter;

    the actual scenario is that all branches uses their own internt-access and are connected via vpn to the headquarter;
    i dont know how i can send all the traffic from the branches via the vpn to the headquarter und than to the internet;

    when i change the default-route which actually points to the provider to the vpn-tunnel than the box is not longer reachable from external;

    how can i solve this?
    is there someone who tried this?
    can i work with an static-route to the provider for the headquarter?
    if yes, can i than manage my branch from external or only via vpn through the headquarter?


  • This shouldn’t be difficult. Assuming your branch offices are also Juniper NetScreens or SSG, you can just enable VPN monitoring and set two default routes, one pointing out the tunnel interface with lower metric and one pointing to Internet gateway with higher metric. The idea is if the tunnel is down, VPN monitoring will cause the default route to the tunnel interface to also be marked down. So IKE can still succeed. But if the VPN is up then all Internet traffic from the hosts will proceed down the VPN tunnel.

    Now in terms of management, when the tunnel is up then yes, you will need to manage via the tunnel. I personally think that is a good thing since if using web or telnet, this will be secured. But if the tunnel were to go down for whatever reason, once the default route for the tunnel interface is down, then you should be able to reach the Internet facing address.

  • Global Moderator

    In Dual VR you could it like this:

    untrust zone to untrust-vr.
    Outside interface in untrust zone. Default route in untrust VR to ISP.
    (Yep, takes some time, zone must be empty before moving to other)

    Tunnel interface(s) in trust zone ( -> trust-vr) default rout in trsut-vr to tunnel interface.

    Never tried it, but it should work.

    An other, very simple, solution:

    Enable sourceinterfacebase routing in trust-vr.
    Set e sourceinterfacebased route, routing all traffic from your trust interface to your tunnel interface. The default destination route can point to your ISP in this case.

    Anywat, even with my first solution (hostbased route to central gateway, to tunnel) you still can configure inboudservice becayse the route back will come from your sessiontable, not fron routing look-up. That’s allways a big suprise with statedull devices.

    Hope this helps and one solution does the trick for you.


  • Hi,

    If you stick with the single VR approach, I would go with a route based VPN.  You can add a 32 bit route for the hub site firewall IP.  This would next hop via the local ISP router, which should be directly connected.  Your default route would then next hop via the tunnel interface.  If you are using numbered tunnel interfaces, you could specify the hub site tunnel int ip.  This would send all traffic via the Hub.  If you bind them to the same zone, a policy shouldn’t be needed.



  • ok, a default-route in the tunnel - and you mean only to set up an static ‘host-route’ to the official ip of the headquarter?

    but in this configuration i cannot reach the branches directly from internet, right?
    i think this is what i need, but can you provide me some further informations about the dual-vr config?

    i would like to try both variants to see - its always a good choice to have an alternative 😉


  • Global Moderator

    On branch set a static route to outbound address of HQ point to local ISP gateway. Set default route to HQ VPN.

    That’s all.


    use a Dual VR config, but thar’s more difficult.

    Hope this helps.