ScreenOS Firewalls (NOT SRX)
Reply
Visitor
theberidox
Posts: 9
Registered: ‎05-19-2009
0
Accepted Solution

Problem with VPN communication between 2 NS5XTs

I have 2 locations with static IPs with a NS5XT on each side. They have a VPN between each other that was created by the vpn wizard. The issue I'm having is that I can ping and connect via remote desktop using ip addresses from one side (garage network of 192.168.0.0) to the other (colonial network of 192.168.1.0) but can't ping or connect from the colonial network to the garage network. Both devices have both "Trust" to "Untrust" & "Untrust" to "Trust" to the other network with the Any policy.

 

Distinguished Expert
firewall72
Posts: 826
Registered: ‎05-04-2008

Re: Problem with VPN communication between 2 NS5XTs

Hi,

 

I would make sure the VPN is up using "get sa" from the CLI.  If the VPN is up, I would check to make sure the Policy is at the top (get pol from trust to untrust).  If it's not, the first policy would match and your traffic might not be encrypted across the tunnel.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008

Re: Problem with VPN communication between 2 NS5XTs

Sounds like a policy issue. Can you access the firewall via CLI and show the config for both side?

 

get conf | i ike

get conf | i vpn

 

and the policy as well. 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
theberidox
Posts: 9
Registered: ‎05-19-2009
0

Re: Problem with VPN communication between 2 NS5XTs

Hi Guys,

 Thank you for the help. I policys were at the bottom of the lists. I moved them to the top and now it seems to work. I would have never thought to move them. Thanks again.

 

Mike

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.