Screen OS

If case of the new VPN client A at his home can login into VPN, but cannot access the organization Internal network.

Some client at home can login into the VPN to access the internal network.

The question are

The client A at home need to set something?

The client A not finish the setting yet? 

I have set the

Objects > Users > Local

VPNs > AutoKey Advanced > Gateways

VPNs > AutoKey IKE

Policies

in the WebUI. 

I wish have anyone can help me to solve the problem. Thank you!

Hi,

Have you configured NAT-Traversal on the vpn??

Edit the phase 1 configuration

VPNs > AutoKey Advanced > Gateway

Then go into the advance section of phase 1 and check the box for NAT-Traversal.

Regards

Andy

Re: AndyC

Thank you for your help, other can use the internal network user not set this one, but I will try this one.

Have another place to setup the NAT?

If I not in the "Network > DHCP > Interface: bgroup0 > DHCP Server" setup the Gateway, the user can go to the internal network?

I need set the routeing protocol(Static route) route to the user public IP?

Overlapping ip subnets maybe ? (home and office in the same subnet or overlap in this)

G's Dennis

Home address is 192.168.11.0/24

Office address is 192.168.200.0/24

So it appears that the IP's are not overlapping, and i asume the NAT-T setting didn't help you out.

Maybe we can verify whether the traffic  arrives on the firewall. Could you collect some debug output ?

Use these commands:

clear db

set ffilter src-ip <clients sourceip>

debug flow basic

--- have the client generate some traffic by using ping for example ---

get dbuf stream <- copy the output so it can be analysed later

undebug all

G's Dennis

Re:dennish

Thank you for your reply.

I use the WebUI to setup the VPN, I not use the  HyperTerminal to setup, and then the firewall in other place, so I cannot use the commands.

I only can use the ping command, in this old place (use VPN client A to login) can ping the firewall and the internal network, but in new place (use VPN client A to login)  cannot ping the firewall and the internal network. I use same as the user account and policy file.

Hi William_,

Reading the thread, I haven't seen if you've turned on NAT-T on the firewall policy? It's on by default on the client, but may need to be turned on via the firewall itself too.

Historically, we saw this issue a lot with NS-remote and home routers which had IPSec awareness built in. They shifted the source port of the VPN, breaking IPsec (unless NAT-T is active).

Regards,

A.

The NAT fixed it for me!!

Great info. Thanks

Re: Arkus

Thank you for your reply.

I have a new question, I need in "Objects > Addresses > List" new the VPN user home public address?

Hi William_,

The client should be making a dynamic VPN connection to the firewall, so you should be using ike-id for the authentication (i.e, email address), not IP address (unless you are trying a bi-directional VPN via the client).The home IP address does not need to be added under a dynamic VPN.

The NAT-T setting is under the phase 1 of the IPsec tunnel:

SSG550-> set ike gate arkus-p1 nat-traversal 

Regards,

A