ScreenOS Firewalls (NOT SRX)
Reply
Contributor
sona
Posts: 25
Registered: ‎07-13-2009
0
Accepted Solution

Unable to access Site-to-Site VPN branches(site B,C...) using DialUp VPN from Site A

[ Edited ]

Hi,

 I have configured DialUP VPN using Xauth in SSG140(6.2.0r3.0). everything is working fine except  unable to access other branch networks which are connected through Site to Site VPN in the same SSG140.

 

For examble:

                       In Site A, i have configured 4 site-to-site VPN for different branches (Site B, C,D &E) and a DialUp VPN. From Netscreen Remote i could not access the site B,C,D& E networks but i can able to access Site A local subnet(Trust).

When i see the logs in the policy from Untrust to trust, it says traffic denied. Untrust intra zone traffic also not blocked.

 

I am using Untrust Zone for all VPN.

DialUp VPN IP Pool is 10.147.131.0/24

 

Policy:

set policy id 30 from "Untrust" to "Trust"  "Dial-Up VPN" "SDVnet(10.0.0.0)" "ANY" tunnel vpn "Remote-VPN" id 0x6 pair-policy 31 log
set policy id 30

 

 set policy id 31 from "Trust" to "Untrust"  "SDVnet(10.0.0.0)" "Dial-Up VPN" "ANY" tunnel vpn "Remote-VPN" id 0x6 pair-policy 30 log
set policy id 31

 

 Routing:

set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet0/0 gateway 202.136.16X.XXX preference 20
set route 10.147.204.0/22 interface tunnel.1 preference 20
set route 10.147.208.0/23 interface tunnel.1 preference 20
set route 10.147.116.0/24 interface tunnel.2
set route 10.147.189.0/24 interface tunnel.3
set route 10.147.188.0/24 interface tunnel.3
set route 10.147.131.0/24 gateway 202.136.16X.XXX
set route 10.147.220.0/22 interface tunnel.4
set route 10.147.224.0/22 interface tunnel.4
set route 10.0.0.0/8 vrouter "trust-vr" preference 20 metric 1
set route 192.168.100.0/24 vrouter "trust-vr" preference 20 metric 1
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.0.0.0/8 interface ethernet0/9 gateway 10.147.128.5 preference 20
set route 10.147.204.0/22 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.208.0/23 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.116.0/24 vrouter "untrust-vr" preference 20 metric 1
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.189.0/24 vrouter "untrust-vr" preference 20 metric 1
set route 192.168.100.0/24 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.131.0/24 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.220.0/22 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.224.0/22 vrouter "untrust-vr" preference 20 metric 1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Plz See Logs


WSDSGEG1-> get db stream
****** packet decapsulated, type=ipsec, len=60******
  ipid = 7496(1d48), @1d50411c
  ethernet0/0:10.147.131.115/34560->10.147.222.5/512,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.147.131.115->10.147.222.5) in vr untrust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 18.route 10.147.222.5->10.147.222.5, to tunnel.4
  routed (x_dst_ip 10.147.222.5) from ethernet0/0 (ethernet0/0 in 0) to tunnel.4
  policy search from zone 1-> zone 1
 policy_flow_search  policy search nat_crt from zone 1-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.147.222.5, port 50267, proto 1)
 policy_flow_search  in tunnel pak_ptr policy: id: 30, from zone 1 -> 2
  No policy matched for tunnel traffic, logging for:
  VPN policy= 30: szone 1 dzone 1 pid 30 ports 800c45b iphdr 1d50411c
  log this session (pid=30)
  **** pak processing end.
****** packet decapsulated, type=ipsec, len=60******
  ipid = 7497(1d49), @1d56911c
  ethernet0/0:10.147.131.115/34816->10.147.222.5/512,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.147.131.115->10.147.222.5) in vr untrust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 18.route 10.147.222.5->10.147.222.5, to tunnel.4
  routed (x_dst_ip 10.147.222.5) from ethernet0/0 (ethernet0/0 in 0) to tunnel.4
  policy search from zone 1-> zone 1
 policy_flow_search  policy search nat_crt from zone 1-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.147.222.5, port 50011, proto 1)
 policy_flow_search  in tunnel pak_ptr policy: id: 30, from zone 1 -> 2
  No policy matched for tunnel traffic, logging for:
  VPN policy= 30: szone 1 dzone 1 pid 30 ports 800c35b iphdr 1d56911c
  log this session (pid=30)
  **** pak processing end.
****** packet decapsulated, type=ipsec, len=60******
  ipid = 7499(1d4b), @1d5c511c
  ethernet0/0:10.147.131.115/35072->10.147.222.5/512,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.147.131.115->10.147.222.5) in vr untrust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 18.route 10.147.222.5->10.147.222.5, to tunnel.4
  routed (x_dst_ip 10.147.222.5) from ethernet0/0 (ethernet0/0 in 0) to tunnel.4
  policy search from zone 1-> zone 1
 policy_flow_search  policy search nat_crt from zone 1-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.147.222.5, port 49755, proto 1)
 policy_flow_search  in tunnel pak_ptr policy: id: 30, from zone 1 -> 2
  No policy matched for tunnel traffic, logging for:
  VPN policy= 30: szone 1 dzone 1 pid 30 ports 800c25b iphdr 1d5c511c
  log this session (pid=30)
  **** pak processing end.

 

Please help on this

 

Thanks

Sona

Message Edited by sona on 09-08-2009 03:44 PM
Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: Unable to access Site-to-Site VPN branches(site B,C...) using DialUp VPN from Site A

The setup looks like the Hub and spokes VPN . PLease follow the below KB :

http://kb.juniper.net/KB4224  ; consider one Spoke as your Dial-ip VPn client.

 

As per the above config and debug , it looks like you are missing the policies for the Dial-up Client to communicate from Site A to Site B,C and D.

 

Thanks

Atif

Contributor
sona
Posts: 25
Registered: ‎07-13-2009
0

Re: Unable to access Site-to-Site VPN branches(site B,C...) using DialUp VPN from Site A

Hi,

Thanks for ur reply...

 

I had gone through the KB you mentioned. my all site-to-site VPNs are configured like that and everything working fine. but for DialUp on Site A, i have configured as policy based dialUP. I have not created tunnel interface for Dialup. Is this the reason i am unable to connect all routed based VPN networks(Site B,C,D&E)??

 

You mentioned abt policy that i may missed out.   I have created two for DialUP VPN    from Untrust to Trust and vise versa. I think these two policy is enough to work!..!

 

Thanks

Sona

 

Super Contributor
srigelsford
Posts: 203
Registered: ‎04-14-2008
0

Re: Unable to access Site-to-Site VPN branches(site B,C...) using DialUp VPN from Site A

Ideally you need to convert your MUVPN setup to route based.

Create a new tunnel interface, and manually define your P2 proxy ID.

You will then need a policy from untrust to untrust to allow your MUVPn traffic to pass down your other tunnels (assuming they are all in the untrust zone)

Contributor
sona
Posts: 25
Registered: ‎07-13-2009
0

Re: Unable to access Site-to-Site VPN branches(site B,C...) using DialUp VPN from Site A

Hi,

       I can now access all branches using DialUp. I just created route based dialUp Vpn.

I learnt that i cannot use policy based dialUp vpn to access all other site to site vpn branches(Spoke) since they all created as Route based VPN

 

 

 

Thanks to you all for ur valuable info.....

 

Regards

Sona

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.