Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[AF] One of Local AF and Juniper firewall connection failed

Posted
Updated
Byadmin
Views2

Problem Description

After AF and Juniper Local are connected to IPSec VPN, multiple intranet segments are released Network Segment use VPN channels, and only one IPSec VPN connection can be established for one intranet Network Segment.

Root cause

Local adding inside-to-outside and outside-to-inside policies to the Juniper firewall, multiple intranet Network Segment written into one policy. You can write a single Network Segment into one policy.

solution

  1. First, configure sangfor's IPSec VPN in the normal way (the lifetime, key, and authentication and Authentication algorithm must be consistent on both ends).

  2. Start the juniper ipsec vpn configuration:

  3. Basic Configuration

    WeChat image_20190327105053.png (152.84 KB)

  4. Click Advanced, Authentication the key, authentication and encryption type pre-g2-3des-sha, and the corresponding sha1 Authentication algorithm and 3des encryption algorithm on sangfor (you can test several more):

    WeChat image_20190327105033.png (207.6 KB)

  5. AutoKey IKE Phase 2:

    WeChat image_20190327105100.png (177.13 KB)

    WeChat image_20190327105106.png (176.28 KB)

  6. Add Policies Network Segment for the intranet segments at both ends:
    Trust-untrust Policies Layer 3

    WeChat image_20190327105112.png (186.66 KB)
    Untrust-Trust Policies:

    WeChat image_20190327105125.png (453.66 KB)
    In Advanced, apply the policy to the added tunnel AutoKey IKE policy:

    WeChat image_20190327105132.png (179.64 KB)
    Finally, add the effect:

    2205c9e337f0e5e2.png (134.57 KB)

Suggestions and Conclusion

Note:
To configure the trust-untrust and untrust-trust policies of Juniper, add the intranet Network Segment both ends one by one, as shown in the figure (there are also multiple segments configured in one Policies below, which are the connection between Juniper and Juniper and Hillstone. They support this configuration method, so it is normal. ):

WeChat image_20190327105112.png (186.66 KB)

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=663&isOpen=true