07-04-2008 07:54 AM
I have read through all the discussion threads and KB articles relating to troubleshooting this issue and I still am not finding the solution. I can successfully create the IPSec tunnel and can ping the Trust side interface as a previous post indicates that this is usually no problem as the Firewall/VPN device knows how to handle this traffic. When I am logged into the Firewall/VPN device via ssh and perform a ping test to other devices on the Trust side, I get a positive response. What am I missing? I have added my configuration to this post. Please have a look at this.
Greatly frustrated but appreciative.
Solved! Go to Solution.
07-04-2008 01:05 PM - edited 07-04-2008 01:07 PM
Try the following :
- Edit your VPN policy
- Go in advanced configuration
- Activate the source NAT with Egress Interface
07-07-2008 05:56 AM
FAAANtastic.....not 100% sure why this is needed, but it worked and I don't care at this time to figure it out. Someone should re-edit the steps for creating a Dial-up VPN to include this crucial step...
thanks a bunch
07-07-2008 07:47 AM
To be honnest, it s a workaround. I think there is a problem with the return flow in your case ( Perhaps a routing issue ).
By translating the source, all the networks think that the src ip is the Firewall ( and not the IPsec client ).
07-07-2008 09:55 AM
Fair enough, workaround or not, I am just glad to see this is working. It seems odd that there is a routing issue with such a simple setup? Is this related to the version of ScreenOS running on the Firewall/VPN device? What is even more unsettling is that I reset the original settings back into the policy, reset the device to flush any caching and I can still see the devices on the Trust side....confusing...U bet!!!
Well, I am just going to chock this up to good old FM technology,or just needed a kickstart, and leave it for now.
thanks again for your input