ScreenOS Firewalls (NOT SRX)
Reply
Contributor
hulk
Posts: 11
Registered: ‎06-20-2008
0
Accepted Solution

Dialup-VPN successfully connects, but the Windows VPN client cannot reach devices on the Trust side

I have read through all the discussion threads and KB articles relating to troubleshooting this issue and I still am not finding the solution.  I can successfully create the IPSec tunnel and can ping the Trust side interface as a previous post indicates that this is usually no problem as the Firewall/VPN device knows how to handle this traffic.  When I am logged into the Firewall/VPN device via ssh and perform a ping test to other devices on the Trust side, I get a positive response.  What am I missing? I have added my configuration to this post.  Please have a look at this.

 

Greatly frustrated but appreciative.

 

Hulk

Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Dialup-VPN successfully connects,

[ Edited ]

Hi Hulk,

 

Try the following :

 

- Edit your VPN policy

- Go in advanced configuration

- Activate the source NAT with Egress Interface

Message Edited by sylvain on 07-04-2008 01:07 PM
Contributor
hulk
Posts: 11
Registered: ‎06-20-2008
0

Re: Dialup-VPN successfully connects,

FAAANtastic.....not 100% sure why this is needed, but it worked and I don't care at this time to figure it out.  Someone should re-edit the steps for creating a Dial-up VPN to include this crucial step...

 

thanks a bunch

 

Hulk

Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: Dialup-VPN successfully connects,

Hi Hulk,

 

To be honnest, it s a workaround. I think there is a problem with the return flow in your case ( Perhaps a routing issue ).

By translating the source, all the networks think that the src ip is the Firewall ( and not the IPsec client ).  

Contributor
hulk
Posts: 11
Registered: ‎06-20-2008
0

Re: Dialup-VPN successfully connects,

Fair enough, workaround or not, I am just glad to see this is working. It seems odd that there is a routing issue with such a simple setup?  Is this related to the version of ScreenOS running on the Firewall/VPN device? What is even more unsettling is that I reset the original settings back into the policy, reset the device to flush any caching and I can still see the devices on the Trust side....confusing...U bet!!!

 

 Well, I am just going to chock this up to good old FM technology,or just needed a kickstart, and leave it for now.

 

thanks again for your input

 

Hulk

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.