![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
hi there,
fairly sure a few of you guys out there use netscreens, and i'm hoping you might be able to help me out...
ok, so im working with the latest version 5 screenos and i'm creating a hub and spoke ipsec vpn using a ns50 as the hub, and three ns5gt's as the spokes. i ought to say this is in a lab environment, i'm mucking around basically to get experience on the kit.
everything is being done inside of one virtual router, my tunnel interface is un-numbered, is in the untrust zone and bonded to the untrust interface. i'm using a single tunnel interface on the hub, static routing, and next-hop tunnel binding. i have disabled intrazone blocking on the untrust zone.
on the hub i have created three gateways which correspond to the ns5gt's acting as spokes. i have then created three vpn's which correspond to their respective gateway.
on the hub i've got three static routes for the destination private networks, pointing at the public addresses of the ns5gt's. i also have policies going from trust -> untrust and vice versa allowing any source, any destination, any service, permit, oh and i'm logging too. there are no intrazone policies created as i dont think i need any since intrazone blocking isn't turned on.
on each of the spokes i have created a single gateway pointing back to the hub, and i have created a corresponding vpn. i've created routes for each of the networks pointing back at the hub. i also have matching policies (i.e. any any any from both trust -> untrust and vice versa).
if i initate communication (simple ping) from the hub out to each of the spokes the vpn's comes up. if i initate communication from the spokes back to the hub the vpn's come up. if i then communicate between hubs (edit: this is supposed to say spokes!!!), all is fine - i can get everywhere.
now, here's the problem... if all vpn's are down and i initate communication from one spoke to another spoke it fails. the vpn from the source spoke to the hub is brought up, but the vpn to the destination spoke remains down.
any ideas?
fairly sure a few of you guys out there use netscreens, and i'm hoping you might be able to help me out...
ok, so im working with the latest version 5 screenos and i'm creating a hub and spoke ipsec vpn using a ns50 as the hub, and three ns5gt's as the spokes. i ought to say this is in a lab environment, i'm mucking around basically to get experience on the kit.
everything is being done inside of one virtual router, my tunnel interface is un-numbered, is in the untrust zone and bonded to the untrust interface. i'm using a single tunnel interface on the hub, static routing, and next-hop tunnel binding. i have disabled intrazone blocking on the untrust zone.
on the hub i have created three gateways which correspond to the ns5gt's acting as spokes. i have then created three vpn's which correspond to their respective gateway.
on the hub i've got three static routes for the destination private networks, pointing at the public addresses of the ns5gt's. i also have policies going from trust -> untrust and vice versa allowing any source, any destination, any service, permit, oh and i'm logging too. there are no intrazone policies created as i dont think i need any since intrazone blocking isn't turned on.
on each of the spokes i have created a single gateway pointing back to the hub, and i have created a corresponding vpn. i've created routes for each of the networks pointing back at the hub. i also have matching policies (i.e. any any any from both trust -> untrust and vice versa).
if i initate communication (simple ping) from the hub out to each of the spokes the vpn's comes up. if i initate communication from the spokes back to the hub the vpn's come up. if i then communicate between hubs (edit: this is supposed to say spokes!!!), all is fine - i can get everywhere.
now, here's the problem... if all vpn's are down and i initate communication from one spoke to another spoke it fails. the vpn from the source spoke to the hub is brought up, but the vpn to the destination spoke remains down.
any ideas?
