Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
Expand all | Collapse all

Dialup VPN Tunnel Access

  • 1.  Dialup VPN Tunnel Access

    Posted 12-30-2008 10:26

    Hi,

     

    This is my first post and need experts advice and directions.

     

    Situation:

    -Clients using Netscreen Remote are connecting to NS5GT using Dialup VPN policy. Clients can connect to local workstations and services on this site no problem.

    -There is a working tunnel from NS5GT to NS25 in another site with services that the remote clients would like to connect to.

    Question:

    -Is there a way for the remote client to connect to services where NS25 site is located?

     

    Thanks

    JB



  • 2.  RE: Dialup VPN Tunnel Access

    Posted 12-30-2008 10:37

    Hi Jb,

     

    Yes there is, but you need to use a Route Based VPN for your Dial-up VPN users.  Most dial-up VPN's I come across use a Policy Based approach.  However, dial-up VPN users are unable to route across to another VPN unless a route based is used.  This is done by terminating the VPN to a Tunnel interface.  You can then add a "dial-up" VPN zone for additional security.  This allows you to control traffic via Policy.  As an FYI, the VPN Policy type is not used with a Route-based approach.  I hope this helps.  Let me know if you have any questions.

     

    -John



  • 3.  RE: Dialup VPN Tunnel Access

    Posted 12-30-2008 11:40

    Hi John,

     

    Should I just create an unnumbered interface and bind the tunnel interface to my Auto IKE VPN? What next?

     

    Thanks

    JB



  • 4.  RE: Dialup VPN Tunnel Access

    Posted 12-30-2008 13:36

    Hi,

     

    I would reveiw the link from AndyC.  If you still have questions or run into an issue, let me know.

     

    -John



  • 5.  RE: Dialup VPN Tunnel Access

    Posted 12-30-2008 15:20

    I was able to create a route based dial-up successfully as per the link (which was really quite helpful). However, i am unable to ping the remote site or NS25 LAN IP. Here's what i have;

     

    Remote IP Pool 30.30.30.0/24 

    NS5GT LAN 172.18.7.0/24

    NS25 LAN 192.168.110.0/24

     

    -Remote clients connected to NS5GT via route based tunnel.2.

    -Tunnel.1 is the tunnel to NS25 LAN

    -NS5GT: Created a policy (Untrust Intra-zone policy) from 30.30.30.0/24 to 192.168.110.0/24

    -NS25: Created routing 30.30.30.0/24->tunnel.10 (tunnel.10 is the link to tunnel.1)

     

    I reading again the links whole thread as I may have missed out something. I am also confused in that thread as there is another IP which 172....

     

    Thanks

    JB



  • 6.  RE: Dialup VPN Tunnel Access

    Posted 12-30-2008 15:53

    I can now successfully ping from remote client to NS25 LAN. Still working on pinging from NS25 LAN to remote client IP.

     

    Also, i just noticed I can't access the internet from the remote client even pinging external ip.

     

    JB



  • 7.  RE: Dialup VPN Tunnel Access

    Posted 12-30-2008 17:35

    Hi,

     

    The reason you cant access the internet from the remote pc is because all traffic is being tunneled down the VPN inclueding internet traffic, hence the subnet mask of 0.0.0.0/0

     

    You would need a policy on your firewall that would allow the NSRemote client access out on to the internet. If your tunnel interface for the dialup vpn is bound to the untrust zone then you would need a policy from untrust to untrust source 30.30.30.0/24 destination any

     

    To get access from the NS25 to the remote client via the 5gt you would need to add a policy making sure that the ns25 lan is allowed to talk to the 30.30.30.0 network 

     

    Let me know if this helps

     

    If not let me know which zone the tunnel interface for the dial up vpn is in and which zome the tunnel interface for the tunnel to the NS25 is in and i can give a more detailed description.

     

    Regards

     

    Andy

     

     



  • 8.  RE: Dialup VPN Tunnel Access

    Posted 12-30-2008 20:22

    Hi Andy,

     

    -NS5GT: I have two policies Untrust-to-Untrust (intra-zone ploicy), one is from 30.30.30.0/24 to 172.18.7.0/24 and second is from 30.30.30.0/24 to Any, but i still can't get to the internet from NSRemote client

     

    -NS25: I also have a policy Trust-to-Untrust 192.168.110.0/24 to Remote_Sites which includes 172.18.7.0/24 LAN.

    -NS25: I also have routing created 30.30.30.0/24 using interface tunnel.10

     

    -NS5GT: tunnel.1 interface is the tunnel to NS25 and is on untrust(trust-vr) zone

    -NS5GT: tunnel.2 interface is the remote client tunnel and is on untrust(trus-vr) zone.

     

    Thanks

    JB



  • 9.  RE: Dialup VPN Tunnel Access

    Posted 12-31-2008 11:39

    My NSRemote client internet access is now working. Have read another solution from previous post to turn on NAT-Src tranlation in

    the Untrust intra-zone policy.

     

    Question: Why not roite internet access through clients local internet access instead of going to NS5GT and out? Is this possible?

     

     



  • 10.  RE: Dialup VPN Tunnel Access

    Posted 12-31-2008 11:57

    Yes, the subnet you specifiy in the NSR client is used to encrypt and route traffic via the Virtual Adapter.  For example, if you office LAN/WAN utilized 192.168.0.0/16, you could specify 192.168.0.0 255.255.0.0.  This would encrpt all traffic to your LAN/WAN over the VA and allow the client to route all other trafic via the local Internet connection.

     

    -John



  • 11.  RE: Dialup VPN Tunnel Access

    Posted 01-02-2009 11:53

    I think my problem has been resolved with all the help i'm getting here.

     

    I have a follow-up question;

    -When i disconnect my netscreen remote and use the internet using my local connection, username and password is prompted for me to connect to my netscreen (I am using XAuth). The only workaround for now is to deactivate the security policy on the client. Is there another way without activating and deactivating my policy?

     

    Thanks

    JB



  • 12.  RE: Dialup VPN Tunnel Access
    Best Answer

    Posted 01-02-2009 14:28

    Hey JB,

     

    That usually happens when the VPN client attempts to access the encryption domain/subnet.  The best way to resolve this is to check the manual connect box.  This means that when you connect or disconnect it must be manual (via right-clicking the NSR icon) and  you should no longer be prompted for login after disconnecting.

     

    -John



  • 13.  RE: Dialup VPN Tunnel Access

    Posted 01-02-2009 14:34

    Hi John,

     

    I usually do manual disconnect and connect. But after the disconnect when using internet it seemed to try to go establish this connection via netscreen remote.

     

    I have expiremented the policy and i believe it is beacuse the NSRemote "Remote Party Identity and Addressing" is set to subnet with IP 0.0.0.0 and Mask 0.0.0.0. If I changed this to something else greater than 0, it will not prompt for a password. Changing the IP will also fail my connectivity to the netscreen.

     

    Thanks

    JB



  • 14.  RE: Dialup VPN Tunnel Access

    Posted 01-02-2009 14:51

    OK, I see.  Typically, you define a subnet (LAN) or subnet range (multi subnet LAN or WAN) on both the Netscreen Remote and Firewall Policy (they must match).  If you're using a route-based VPN, you need to specify the correct subnet on the NSR and confrigure the Proxy-ID on the Firewall.  In the example below, we encrypt all 10.x.x.x traffic and route all non 10.x.x.x traffic via the local ISP.

     

    NSR:

    - Remote Part Identity and Adressing

    - IP Subnet

    - 10.0.0.0 255.0.0.0

     

    Firewall:

    - Autokey IKE

    - Edit VPN

    - Advanced

    - Enable Proxy-ID

    - 10.0.0.0/8 255.255.255.255/32

     

    Let me know how you make out.

     

    -John



  • 15.  RE: Dialup VPN Tunnel Access

    Posted 01-02-2009 15:00

    Hi John,

     

    How can i configure in such a way that it will conver the ip addresses used in my LAN? I have IP's that 172.x.x.x, 192.x.x.x and 10.x.x.x

     

    I tried as per your config and it works only for one of the IP's

     

    Thanks

    JB



  • 16.  RE: Dialup VPN Tunnel Access

    Posted 01-02-2009 15:08

    @firewall72 wrote:

    Hey JB,

     

    That usually happens when the VPN client attempts to access the encryption domain/subnet.  The best way to resolve this is to check the manual connect box.  This means that when you connect or disconnect it must be manual (via right-clicking the NSR icon) and  you should no longer be prompted for login after disconnecting.

     

    -John


     

    Hi John,

     

    I missed the manual connect you mentioned. There is a check box on the NSRemote Client "Only Connect Manually". I tried this and it fixes the problem.

     

    Thanks,

    JB



  • 17.  RE: Dialup VPN Tunnel Access

    Posted 12-30-2008 12:00

    Have a look at the following thread.

     

    http://forums.juniper.net/jnet/board/message?board.id=Firewalls&message.id=766&query.id=1183697#M766

     

     

    Regards

     

    Andy