ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 16
Registered: ‎12-29-2008
0
Accepted Solution

Dialup VPN Tunnel Access

Hi,

 

This is my first post and need experts advice and directions.

 

Situation:

-Clients using Netscreen Remote are connecting to NS5GT using Dialup VPN policy. Clients can connect to local workstations and services on this site no problem.

-There is a working tunnel from NS5GT to NS25 in another site with services that the remote clients would like to connect to.

Question:

-Is there a way for the remote client to connect to services where NS25 site is located?

 

Thanks

JB

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008

Re: Dialup VPN Tunnel Access

Hi Jb,

 

Yes there is, but you need to use a Route Based VPN for your Dial-up VPN users.  Most dial-up VPN's I come across use a Policy Based approach.  However, dial-up VPN users are unable to route across to another VPN unless a route based is used.  This is done by terminating the VPN to a Tunnel interface.  You can then add a "dial-up" VPN zone for additional security.  This allows you to control traffic via Policy.  As an FYI, the VPN Policy type is not used with a Route-based approach.  I hope this helps.  Let me know if you have any questions.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

Hi John,

 

Should I just create an unnumbered interface and bind the tunnel interface to my Auto IKE VPN? What next?

 

Thanks

JB

Trusted Expert
Posts: 441
Registered: ‎07-08-2008

Re: Dialup VPN Tunnel Access

Have a look at the following thread.

 

http://forums.juniper.net/jnet/board/message?board.id=Firewalls&message.id=766&query.id=1183697#M766

 

 

Regards

 

Andy

 

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Distinguished Expert
Posts: 826
Registered: ‎05-04-2008
0

Re: Dialup VPN Tunnel Access

Hi,

 

I would reveiw the link from AndyC.  If you still have questions or run into an issue, let me know.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

I was able to create a route based dial-up successfully as per the link (which was really quite helpful). However, i am unable to ping the remote site or NS25 LAN IP. Here's what i have;

 

Remote IP Pool 30.30.30.0/24 

NS5GT LAN 172.18.7.0/24

NS25 LAN 192.168.110.0/24

 

-Remote clients connected to NS5GT via route based tunnel.2.

-Tunnel.1 is the tunnel to NS25 LAN

-NS5GT: Created a policy (Untrust Intra-zone policy) from 30.30.30.0/24 to 192.168.110.0/24

-NS25: Created routing 30.30.30.0/24->tunnel.10 (tunnel.10 is the link to tunnel.1)

 

I reading again the links whole thread as I may have missed out something. I am also confused in that thread as there is another IP which 172....

 

Thanks

JB

Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

I can now successfully ping from remote client to NS25 LAN. Still working on pinging from NS25 LAN to remote client IP.

 

Also, i just noticed I can't access the internet from the remote client even pinging external ip.

 

JB

Trusted Expert
Posts: 441
Registered: ‎07-08-2008

Re: Dialup VPN Tunnel Access

Hi,

 

The reason you cant access the internet from the remote pc is because all traffic is being tunneled down the VPN inclueding internet traffic, hence the subnet mask of 0.0.0.0/0

 

You would need a policy on your firewall that would allow the NSRemote client access out on to the internet. If your tunnel interface for the dialup vpn is bound to the untrust zone then you would need a policy from untrust to untrust source 30.30.30.0/24 destination any

 

To get access from the NS25 to the remote client via the 5gt you would need to add a policy making sure that the ns25 lan is allowed to talk to the 30.30.30.0 network 

 

Let me know if this helps

 

If not let me know which zone the tunnel interface for the dial up vpn is in and which zome the tunnel interface for the tunnel to the NS25 is in and i can give a more detailed description.

 

Regards

 

Andy

 

 

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

Hi Andy,

 

-NS5GT: I have two policies Untrust-to-Untrust (intra-zone ploicy), one is from 30.30.30.0/24 to 172.18.7.0/24 and second is from 30.30.30.0/24 to Any, but i still can't get to the internet from NSRemote client

 

-NS25: I also have a policy Trust-to-Untrust 192.168.110.0/24 to Remote_Sites which includes 172.18.7.0/24 LAN.

-NS25: I also have routing created 30.30.30.0/24 using interface tunnel.10

 

-NS5GT: tunnel.1 interface is the tunnel to NS25 and is on untrust(trust-vr) zone

-NS5GT: tunnel.2 interface is the remote client tunnel and is on untrust(trus-vr) zone.

 

Thanks

JB

Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

My NSRemote client internet access is now working. Have read another solution from previous post to turn on NAT-Src tranlation in

the Untrust intra-zone policy.

 

Question: Why not roite internet access through clients local internet access instead of going to NS5GT and out? Is this possible?

 

 

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008

Re: Dialup VPN Tunnel Access

Yes, the subnet you specifiy in the NSR client is used to encrypt and route traffic via the Virtual Adapter.  For example, if you office LAN/WAN utilized 192.168.0.0/16, you could specify 192.168.0.0 255.255.0.0.  This would encrpt all traffic to your LAN/WAN over the VA and allow the client to route all other trafic via the local Internet connection.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

I think my problem has been resolved with all the help i'm getting here.

 

I have a follow-up question;

-When i disconnect my netscreen remote and use the internet using my local connection, username and password is prompted for me to connect to my netscreen (I am using XAuth). The only workaround for now is to deactivate the security policy on the client. Is there another way without activating and deactivating my policy?

 

Thanks

JB

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008

Re: Dialup VPN Tunnel Access

Hey JB,

 

That usually happens when the VPN client attempts to access the encryption domain/subnet.  The best way to resolve this is to check the manual connect box.  This means that when you connect or disconnect it must be manual (via right-clicking the NSR icon) and  you should no longer be prompted for login after disconnecting.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

Hi John,

 

I usually do manual disconnect and connect. But after the disconnect when using internet it seemed to try to go establish this connection via netscreen remote.

 

I have expiremented the policy and i believe it is beacuse the NSRemote "Remote Party Identity and Addressing" is set to subnet with IP 0.0.0.0 and Mask 0.0.0.0. If I changed this to something else greater than 0, it will not prompt for a password. Changing the IP will also fail my connectivity to the netscreen.

 

Thanks

JB

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008

Re: Dialup VPN Tunnel Access

OK, I see.  Typically, you define a subnet (LAN) or subnet range (multi subnet LAN or WAN) on both the Netscreen Remote and Firewall Policy (they must match).  If you're using a route-based VPN, you need to specify the correct subnet on the NSR and confrigure the Proxy-ID on the Firewall.  In the example below, we encrypt all 10.x.x.x traffic and route all non 10.x.x.x traffic via the local ISP.

 

NSR:

- Remote Part Identity and Adressing

- IP Subnet

- 10.0.0.0 255.0.0.0

 

Firewall:

- Autokey IKE

- Edit VPN

- Advanced

- Enable Proxy-ID

- 10.0.0.0/8 255.255.255.255/32

 

Let me know how you make out.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

Hi John,

 

How can i configure in such a way that it will conver the ip addresses used in my LAN? I have IP's that 172.x.x.x, 192.x.x.x and 10.x.x.x

 

I tried as per your config and it works only for one of the IP's

 

Thanks

JB

Contributor
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access


firewall72 wrote:

Hey JB,

 

That usually happens when the VPN client attempts to access the encryption domain/subnet.  The best way to resolve this is to check the manual connect box.  This means that when you connect or disconnect it must be manual (via right-clicking the NSR icon) and  you should no longer be prompted for login after disconnecting.

 

-John


 

Hi John,

 

I missed the manual connect you mentioned. There is a check box on the NSRemote Client "Only Connect Manually". I tried this and it fixes the problem.

 

Thanks,

JB