Any Juniper people in here? I need some SSG5 help

[Nate7311]

I have a client with an existing site-to-site VPN using a pair of SSG5s, one in their local office and the other in a DataCenter in Chicago protecting a few Servers. What I need to do now is add another VPN leg from the Main office to a new bidding office in another city. The problem stems from the fact that this new office is currently on a dynamic IP Cable service and so the VPN has to be Dynamic to the home office. How do I protect traffic from the remote office through the main office to the Datacenter? Done a bit of reading and see the NHTB feature, but I've found that if the dynamic tunnel goes off line, traffic between subnets on the original tunnel stops, and that won't fly.

Any ideas on where to look?

 

[/usr/home]

Is there any way to get a Static IP at the remote office?

 

[f1y]

you're going to have a hell of time with hardware VPN without a static address.

 

[Dead Parrot]

Juniper firewall appliances can do dynamic VPN just fine. Couple things to keep in mind. You will lose connectivity anytime the remote ISP forces an IP change. The Juniper devices will auto-reconnect. Also, it will make things MUCH easier if you make sure the remote office has a different private IP scope from the other two sites. You can find the dynamic how-to on the Juniper support site. You should be able to connect the remote to the main and route the remote traffic on to the data center.

 

[marley1]

What do you mean when you say protect traffic? What traffic?

I have done tons of sites with 1 static and 1 dynamic side. But VPN I always say is truested

So I see you figured out how to reset em

 

[marley1]

And I would be doing datacenter to site a, datacenter to site b, site a to site b.

 

[Nate7311]

Right, The triaangle configuration if what I'm assuming I'll have to go with at this point. The problem is that I don't have access to the SSG5 in the datacenter, only they have access.

I've already got the Dynamic side cooking to the Main Office and passing traffic perfectly. It's the routing of trusted traffic from the Remote through the Main Office to the Datacenter that's got me stumped. I've got a call with the Datacenter NOC guys this afternoon, and if I have to go the triangle route, then so be it.