12-30-2008 10:25 AM
This is my first post and need experts advice and directions.
-Clients using Netscreen Remote are connecting to NS5GT using Dialup VPN policy. Clients can connect to local workstations and services on this site no problem.
-There is a working tunnel from NS5GT to NS25 in another site with services that the remote clients would like to connect to.
-Is there a way for the remote client to connect to services where NS25 site is located?
Solved! Go to Solution.
12-30-2008 10:37 AM
Yes there is, but you need to use a Route Based VPN for your Dial-up VPN users. Most dial-up VPN's I come across use a Policy Based approach. However, dial-up VPN users are unable to route across to another VPN unless a route based is used. This is done by terminating the VPN to a Tunnel interface. You can then add a "dial-up" VPN zone for additional security. This allows you to control traffic via Policy. As an FYI, the VPN Policy type is not used with a Route-based approach. I hope this helps. Let me know if you have any questions.
12-30-2008 12:00 PM
Have a look at the following thread.
12-30-2008 01:35 PM
I would reveiw the link from AndyC. If you still have questions or run into an issue, let me know.
12-30-2008 03:20 PM
I was able to create a route based dial-up successfully as per the link (which was really quite helpful). However, i am unable to ping the remote site or NS25 LAN IP. Here's what i have;
Remote IP Pool 18.104.22.168/24
NS5GT LAN 172.18.7.0/24
NS25 LAN 192.168.110.0/24
-Remote clients connected to NS5GT via route based tunnel.2.
-Tunnel.1 is the tunnel to NS25 LAN
-NS5GT: Created a policy (Untrust Intra-zone policy) from 22.214.171.124/24 to 192.168.110.0/24
-NS25: Created routing 126.96.36.199/24->tunnel.10 (tunnel.10 is the link to tunnel.1)
I reading again the links whole thread as I may have missed out something. I am also confused in that thread as there is another IP which 172....
12-30-2008 03:52 PM
I can now successfully ping from remote client to NS25 LAN. Still working on pinging from NS25 LAN to remote client IP.
Also, i just noticed I can't access the internet from the remote client even pinging external ip.
12-30-2008 05:34 PM
The reason you cant access the internet from the remote pc is because all traffic is being tunneled down the VPN inclueding internet traffic, hence the subnet mask of 0.0.0.0/0
You would need a policy on your firewall that would allow the NSRemote client access out on to the internet. If your tunnel interface for the dialup vpn is bound to the untrust zone then you would need a policy from untrust to untrust source 188.8.131.52/24 destination any
To get access from the NS25 to the remote client via the 5gt you would need to add a policy making sure that the ns25 lan is allowed to talk to the 184.108.40.206 network
Let me know if this helps
If not let me know which zone the tunnel interface for the dial up vpn is in and which zome the tunnel interface for the tunnel to the NS25 is in and i can give a more detailed description.
12-30-2008 08:22 PM
-NS5GT: I have two policies Untrust-to-Untrust (intra-zone ploicy), one is from 220.127.116.11/24 to 172.18.7.0/24 and second is from 18.104.22.168/24 to Any, but i still can't get to the internet from NSRemote client
-NS25: I also have a policy Trust-to-Untrust 192.168.110.0/24 to Remote_Sites which includes 172.18.7.0/24 LAN.
-NS25: I also have routing created 22.214.171.124/24 using interface tunnel.10
-NS5GT: tunnel.1 interface is the tunnel to NS25 and is on untrust(trust-vr) zone
-NS5GT: tunnel.2 interface is the remote client tunnel and is on untrust(trus-vr) zone.
12-31-2008 11:38 AM
My NSRemote client internet access is now working. Have read another solution from previous post to turn on NAT-Src tranlation in
the Untrust intra-zone policy.
Question: Why not roite internet access through clients local internet access instead of going to NS5GT and out? Is this possible?
12-31-2008 11:57 AM
Yes, the subnet you specifiy in the NSR client is used to encrypt and route traffic via the Virtual Adapter. For example, if you office LAN/WAN utilized 192.168.0.0/16, you could specify 192.168.0.0 255.255.0.0. This would encrpt all traffic to your LAN/WAN over the VA and allow the client to route all other trafic via the local Internet connection.
01-02-2009 11:52 AM
I think my problem has been resolved with all the help i'm getting here.
I have a follow-up question;
-When i disconnect my netscreen remote and use the internet using my local connection, username and password is prompted for me to connect to my netscreen (I am using XAuth). The only workaround for now is to deactivate the security policy on the client. Is there another way without activating and deactivating my policy?
01-02-2009 02:27 PM
That usually happens when the VPN client attempts to access the encryption domain/subnet. The best way to resolve this is to check the manual connect box. This means that when you connect or disconnect it must be manual (via right-clicking the NSR icon) and you should no longer be prompted for login after disconnecting.
01-02-2009 02:34 PM
I usually do manual disconnect and connect. But after the disconnect when using internet it seemed to try to go establish this connection via netscreen remote.
I have expiremented the policy and i believe it is beacuse the NSRemote "Remote Party Identity and Addressing" is set to subnet with IP 0.0.0.0 and Mask 0.0.0.0. If I changed this to something else greater than 0, it will not prompt for a password. Changing the IP will also fail my connectivity to the netscreen.
01-02-2009 02:50 PM
OK, I see. Typically, you define a subnet (LAN) or subnet range (multi subnet LAN or WAN) on both the Netscreen Remote and Firewall Policy (they must match). If you're using a route-based VPN, you need to specify the correct subnet on the NSR and confrigure the Proxy-ID on the Firewall. In the example below, we encrypt all 10.x.x.x traffic and route all non 10.x.x.x traffic via the local ISP.
- Remote Part Identity and Adressing
- IP Subnet
- 10.0.0.0 255.0.0.0
- Autokey IKE
- Edit VPN
- Enable Proxy-ID
- 10.0.0.0/8 255.255.255.255/32
Let me know how you make out.