corsasport.co.uk
 

Corsa Sport » Message Board » Off Day » Geek Day » Juniper VPN Site-Site


New Topic

New Poll
  Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author Juniper VPN Site-Site
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
20th Jan 12 at 20:28   View Garage View User's Profile U2U Member Reply With Quote

Dunno if any one can help
Have one site at the moment and need to move all backup servers to a new site but they need to be on the same subnet. i have 2 Juniper SSG5 Firewalls at each site. I cant get the routing figured out

So for example -


Site 1
10.0.0.1 - Public
Private - 192.168.201.0/24
Allocated IPs 192.168.201.150 -254


Site 2
10.0.0.2 - Public
Private - 192.168.201.0/24
Allocated IPs 192.168.201.1-149

VPN is up but i cant ping each site i have a computer at site 2 192.168.201.27 trying to ping 192.168.201.254 and it fails can any one help?!
John
Member

Registered: 30th Jun 03
User status: Offline
20th Jan 12 at 20:31   View User's Profile U2U Member Reply With Quote

You'll have to put a route in somewhere I think, it'll never try outside of the network at site 2.
Steve
Premium Member

Avatar

Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
20th Jan 12 at 20:34   View Garage View User's Profile U2U Member Reply With Quote

firewalls not block ping requests?
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
20th Jan 12 at 20:36   View Garage View User's Profile U2U Member Reply With Quote

nope ping requests are allowed on all interfaces
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
20th Jan 12 at 20:39   View Garage View User's Profile U2U Member Reply With Quote

has to be a routing issue as john said. as i do a trace route to 8.8.8.8 from a site it works. but to a 192.168.201.0/24 at either site it wont even get past the firewall
John
Member

Registered: 30th Jun 03
User status: Offline
20th Jan 12 at 22:03   View User's Profile U2U Member Reply With Quote

It wouldn't go past the firewall because it can get to anything on that subnet internally, won't try externally otherwise how would you distinguish between .100 at site 1 and .100 at site 2. Can you put a static route on each firewall for that half of the subnet to route to the other site?
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
20th Jan 12 at 22:18   View Garage View User's Profile U2U Member Reply With Quote

just annoying as it seems just a simple thing. a vpn between 2 sites that is really just a lan extension!
John
Member

Registered: 30th Jun 03
User status: Offline
20th Jan 12 at 22:46   View User's Profile U2U Member Reply With Quote

It's not working for exactly the reason you should never set an office up as 192.168.0.1, 1.1 etc. when anyone tries to VPN in from home you get this exact issue.
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
20th Jan 12 at 23:08   View Garage View User's Profile U2U Member Reply With Quote

fuck it im going to change the ip address schema tomorrow cant be bothered arseing around with these shitty firewalls! so much easier with a watchguard!
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th Jan 12 at 23:16   View User's Profile U2U Member Reply With Quote

Get on the Servers subforum on OCuk as there's about 5 users (bigredshark is one of them) that work with Juniper day-in-day-out in DCs and have always been helpful with any queries i've had. Alternatively jump on the J-NET forums Here
willay
Moderator
Organiser: South East, National Events
Premium Member


Avatar

Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
20th Jan 12 at 23:46   View Garage View User's Profile U2U Member Reply With Quote

Why do they have to be on the same subnet?

It would make more sense to use another subnet so you can identify hosts geographical location right away.

i.e.

Site 1

10.10.1.0/24

Site 2

10.10.2.0/24

If the firewalls are the default router for the hosts on its private interface(s) then that will sort out the routing.

All depends on your application really, as far as I am concerned if hosts on both sides are using a /24 netmask they will just do an ARP to find the host on the local network - unless you can configure the VPN gateways to forward on broadcast frames??

Just makes alot more sense to use different subnets to split the network up and make things alot more logical.
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
21st Jan 12 at 06:31   View Garage View User's Profile U2U Member Reply With Quote

What they have at the moment is 2 racks in 1 location.

SQL servers HA webservers HA

it needs to be 99% uptime. As they are moving location one rack gets done first then the second.
VrsTurbo
Premium Member

Registered: 8th Jun 10
User status: Offline
21st Jan 12 at 07:06   View Garage View User's Profile U2U Member Reply With Quote

well it took 2 mins with a different subnet. Just need to configure the servers when they get here for a different subnet.

 
New Topic

New Poll

  Related Threads Author Forum Replies Views Last Post
VPN security issues Melville Geek Day 3 1034
14th Feb 06 at 17:00
by Tim
 
add another server remotely? Bart Geek Day 11 496
15th Jan 08 at 18:30
by MikeD
 
Network Boffins Dan Lewis Geek Day 14 1024
9th Mar 08 at 12:19
by Paul
 
Full ponty 3 SR91 Yorkshire 1 921
19th Jun 09 at 19:00
by Saralo
 
Moving offices, left to me to reconfigure network (Sam/Pow/Willay/Ian & Co) Dom Geek Day 23 1110
31st May 11 at 17:12
by Dom
 

Corsa Sport » Message Board » Off Day » Geek Day » Juniper VPN Site-Site 29 database queries in 0.0148201 seconds