Verifying Hub-and-Spoke VPN Configuration

This topic includes the following sections:

Verifying Configuration of the Hub (Device in Corporate Office)

Use the show configuration command to verify the configuration.

system {host-name CORPORATE;root-authentication {encrypted-password "$1$0wc5IQiB$MTQlktoQ9/nRF10Gntin./"; ## SECRET-DATA}services {ssh;web-management {http {interface ge-0/0/0.0;}}}syslog {user * {any emergency;}file messages {any any;authorization info;}file interactive-commands {interactive-commands any;}}}interfaces {ge-0/0/0 {unit 0 {family inet {address 10.10.10.1/24;}}}ge-0/0/3 {unit 0 {family inet {address 1.1.1.2/30;}}}st0 {unit 0 {multipoint;family inet {next-hop-tunnel 10.11.11.11 ipsec-vpn sunnyvale-vpn;address 10.11.11.10/24;}}}}routing-options {static {route 0.0.0.0/0 next-hop 1.1.1.1;route 192.168.168.0/24 next-hop 10.11.11.11;route 192.168.178.0/24 next-hop 10.11.11.12;}}security {ike {traceoptions {flag policy-manager;flag ike;flag routing-socket;flag general;}policy ike-policy1 {mode main;proposal-set standard;pre-shared-key ascii-text "$9$LrN7w2mPQF/t24jqmfn6rev"; ## SECRET-DATA}gateway sunnyvale-gate {ike-policy ike-policy1;address 2.2.2.2;external-interface ge-0/0/3.0;}gateway westford-gate {ike-policy ike-policy1;address 3.3.3.2;external-interface ge-0/0/3.0;}}ipsec {policy vpn-policy1 {perfect-forward-secrecy {keys group2;}proposal-set standard;}vpn sunnyvale-vpn {bind-interface st0.0;ike {gateway sunnyvale-gate;ipsec-policy vpn-policy1;}}vpn westford-vpn {bind-interface st0.0;ike {gateway westford-gate;ipsec-policy vpn-policy1;}}}zones {security-zone trust {address-book {address local-net 10.10.10.0/24;}host-inbound-traffic {system-services {all;}}interfaces {ge-0/0/0.0;}}security-zone untrust {host-inbound-traffic {system-services {ike;}}interfaces {ge-0/0/3.0;}}security-zone vpn {address-book {address sunnyvale-net 192.168.168.0/24;address westford-net 192.168.178.0/24;}interfaces {st0.0;}}}policies {from-zone trust to-zone untrust {policy any-permit {match {source-address any;destination-address any;application any;}then {permit {source-nat {interface;}}}}}from-zone trust to-zone vpn {policy local-to-spokes {match {source-address local-net;destination-address [ sunnyvale-net westford-net ];application any;}then {permit;}}}from-zone vpn to-zone trust {policy spokes-to-local {match {source-address [ sunnyvale-net westford-net ];destination-address local-net;application any;}then {permit;}}}from-zone vpn to-zone vpn {policy spoke-to-spoke {match {source-address any;destination-address any;application any;}then {permit;}}}}flow {tcp-mss {ipsec-vpn {mss 1350;}}}}

Note: In the preceding sample of output from the show configuration command, the highlighted lines show traceoption configurations for troubleshooting purposes.

Tip: Delete or deactivate the traceoptions after you complete troubleshooting.

Verifying Configuration of the Spoke (Device in Westford Office)

Use the show configuration command to verify the configuration.

system {host-name Westford;root-authentication {encrypted-password "$1$Qk3dVh9X$d3KOf3dhR6uQKhi8FWU.P0"; ## SECRET-DATA}services {web-management {http {interface ge-0/0/0.0;}}}syslog {user * {any emergency;}file messages {any any;authorization info;}file interactive-commands {interactive-commands any;}}}interfaces {ge-0/0/0 {unit 0 {family inet {address 3.3.3.2/30;}}}ge-0/0/3 {unit 0 {family inet {address 192.168.178.1/24;}}}st0 {unit 0 {family inet {address 10.11.11.12/24;}}}}routing-options {static {route 0.0.0.0/0 next-hop 1.1.1.1;route 10.10.10.0/24 next-hop 10.11.11.10;route 192.168.168.0/24 next-hop 10.11.11.10;}}security {ike {traceoptions {flag policy-manager;flag ike;flag routing-socket;flag general;}policy ike-policy1 {mode main;proposal-set standard;pre-shared-key ascii-text "$9$VNsaGF39A0IGDPQFnpu8X7"; ## SECRET-DATA}gateway corp-gate {ike-policy ike-policy1;address 1.1.1.2;external-interface ge-0/0/0.0;}}ipsec {policy vpn-policy1 {perfect-forward-secrecy {keys group2;}proposal-set standard;}vpn corp-vpn {bind-interface st0.0;ike {gateway corp-gate;ipsec-policy vpn-policy1;}}}zones {security-zone trust {address-book {address local-net 192.168.178.0/24;}host-inbound-traffic {system-services {all;}}interfaces {ge-0/0/3.0 {}}}security-zone untrust {host-inbound-traffic {system-services {ike;}}interfaces {ge-0/0/0.0 {}}}security-zone vpn {address-book {address corp-net 10.10.10.0/24;address sunnyvale-net 192.168.168.0/24;}interfaces {st0.0;}}}policies {from-zone trust to-zone untrust {policy any-permit {match {source-address any;destination-address any;application any;}then {permit {source-nat {interface;}}}}}from-zone vpn to-zone trust {policy from-corp {match {source-address [ corp-net sunnyvale-net ];destination-address local-net;application any;}then {permit;}}}from-zone trust to-zone vpn {policy to-corp {match {source-address local-net;destination-address [ corp-net sunnyvale-net ];application any;}then {permit;}}}}flow {tcp-mss {ipsec-vpn {mss 1350;}}}}

Note: In the preceding sample of output from the show configuration command, the highlighted lines show traceoption configurations for troubleshooting purposes.

Tip: Delete or deactivate the traceoptions after you complete troubleshooting.

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.