Remote Peer - Juniper ISG 2000 User Manual

ISG 2000 User's Guide
18
IPSec VPN
5. Set a route to the remote peer's network through tunnel.1. Also set a null route
to the peer's network with a less preferable metric. If the route through tunnel.1
becomes unavailable, the ISG 2000 then uses the null route, sending traffic for
the remote peer to the null interface, which effectively drops it. If tunnel.1 goes
down, the route associated with it becomes inactive. If there is no null route,
the ISG 2000 might use the default route and send unprotected traffic out
ethernet1/1. Creating a null route obviates such an unwanted occurrence.
set vrouter trust-vr route 10.2.2.0/24 interface tunnel.1
set vrouter trust-vr route 10.2.2.0/24 interface null metric 10
6. Create a pair of policies permitting traffic to flow bidirectionally between the
two sites.
set policy id 8 top from untrust to trust peer1 local any permit
set policy id 9 top from trust to untrust local peer1 any permit
save

Remote Peer

After the administrator at the remote site sets up the NetScreen-5GT, he can then
enter the following commands to configure that end of the VPN tunnel:
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface untrust
set address trust local 10.2.2.0/24
set address untrust peer1 10.1.1.0/24
set ike gateway gw1 address 1.1.1.1 aggressive local-id peer1@jnpr.net
outgoing-interface untrust preshare Iwb715iSF sec-level compatible
set vpn vpn1 gateway gw1 tunnel sec-level compatible
set vpn vpn1 bind interface tunnel.1
set vpn vpn1 proxy-id local-ip 10.2.2.0/24 remote-ip 10.1.1.0/24 any
set vrouter trust-vr route 0.0.0.0/0 interface untrust
set vrouter trust-vr route 10.2.2.0/24 interface tunnel.1
set vrouter trust-vr route 10.2.2.0/24 interface null metric 10
set policy id 1 top from untrust to trust peer1 local any permit
set policy id 2 top from trust to untrust local peer1 any permit
save