ScreenOS Firewalls (NOT SRX)
Reply
Visitor
SilicaGel
Posts: 5
Registered: ‎05-06-2008
0

Unable to pass traffic through an L2TP vpn connection (Netscreen 5GT)

Hi,

I have a Netscreen 5GT.  I was setup on the network, as the main gateway, and had VPN configured and working.  Recently, I switched routers (to one that could support dual WAN), changed Internet providers and changed the internal subnet (running out of IP's).

 

I could not manage to get VPN working with the new router (NetGear FVS538), so I tried to reconnect the Netscreen as a secondary router just for VPN.  (Actually, I set up the mail server to go through it as well, but that's not important.)

 

Using the same settings that were already on the router, but changing the relevant areas (subnets, network information) I can still connect to the VPN (authenticate and join the network.)  I can not actually see the office network though.  I can ping the Netscreen using it's internal IP (10.10.1.2), but I can't ping any other computers on the network.

 

I've reconfigured the VPN settings about 10 times or more by now, following the examples and documentation I could find, but I still can't get any traffic through to the office network.

 

One thing that strikes me odd is that when I do an IP Config on the client, it doesn't get assigned a Gateway.  The IP, and DNS are correctly assigned, but the gatway field is blank.

 

I will post a copy of my router conf file below so you can see all the settings.

 

I would really appreciate it if someone could shed some light on this.

 

Also, if I should be asking this somewhere else, please let me know.

 

Thanks.


Note, I've changed my real WAN IP to xxx.xxx.xxx.xxx.
Also, I have a secondary IP of 192.... assigned to the trust Nic.  This is because I still have some printers on the network on the old 192 subnet.

 

ROUTER FILE -----------------------------------------
set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "RWW" protocol tcp src-port 0-65535 dst-port 4125-4125
set service "RWW" + udp src-port 0-65535 dst-port 4125-4125
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "RDP" + udp src-port 0-65535 dst-port 3389-3389
set service "CommerceWorx" protocol tcp src-port 5631-5631 dst-port 21-21
set service "CommerceWorx" + tcp src-port 5632-5632 dst-port 20-20
set service "CommerceWorx" + udp src-port 5631-5631 dst-port 21-21
set service "CommerceWorx" + udp src-port 5632-5632 dst-port 20-20
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "************************"
set admin port 8080
set admin scs password disable username netscreen
set admin auth timeout 45
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.10.0.0/16
set interface trust nat
set interface trust ip 192.168.1.2 255.255.255.0 secondary
set interface untrust ip xxx.xxx.xxx.xxx/32
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust manage-ip 10.10.1.2
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage web
set interface "untrust" mip xxx.xxx.xxx.xxx host 10.10.1.14 netmask 255.255.255.255 vrouter "trust-vr"
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set hostname ns5gt
set dns host dns1 207.164.234.193
set dns host dns2 207.164.234.129
set address "Trust" "LAN" 10.10.0.0 255.255.0.0
set address "Untrust" "update.microsoft.com" update.microsoft.com
set address "Untrust" "www.microsoft.com" www.microsoft.com
set ippool "l2-pool" 10.10.10.100 10.10.10.250
set user "test" uid 21
set user "test" type  l2tp
set user "test" password "123"
unset user "test" type auth
set user "test" "enable"
set ike respond-bad-spi 1
set xauth default auth server Local chap
set l2tp default dns1 10.10.1.11
set l2tp default dns2 10.10.1.14
set l2tp default ippool "l2-pool"
set l2tp default ppp-auth chap
set l2tp "l2-tunnel" id 2 outgoing-interface untrust keepalive 60
set l2tp "l2-tunnel" remote-setting ippool "l2-pool"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn state-name "ON"
set pki x509 dn name "test"
set pki x509 dn phone "905-123-123"
set pki x509 dn email "tester@mail.org"
set pki x509 dn ip "0.0.0.0"
set group address "Untrust" "trusted internet sites"
set group address "Untrust" "trusted internet sites" add "update.microsoft.com"
set group address "Untrust" "trusted internet sites" add "www.microsoft.com"
set group service "HTTP MAIL & RDP"
set group service "HTTP MAIL & RDP" add "HTTP"
set group service "HTTP MAIL & RDP" add "MAIL"
set group service "HTTP MAIL & RDP" add "RDP"
set scheduler "non-working hours" recurrent sunday start 0:0 stop 23:59
set scheduler "non-working hours" recurrent monday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent tuesday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent wednesday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent thursday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent friday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent saturday start 0:0 stop 23:59
set scheduler "Working hours" recurrent monday start 7:0 stop 18:0
set scheduler "Working hours" recurrent tuesday start 7:0 stop 18:0
set scheduler "Working hours" recurrent wednesday start 7:0 stop 18:0
set scheduler "Working hours" recurrent thursday start 7:0 stop 18:0
set scheduler "Working hours" recurrent friday start 7:0 stop 18:0
set policy id 11 from "Untrust" to "Trust"  "Dial-Up VPN" "LAN" "ANY" tunnel l2tp "l2-tunnel" log
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log count
set policy id 2 from "Untrust" to "Trust"  "Any" "MIP(xxx.xxx.xxx.xxx)" "HTTPS" permit log count
set policy id 2
set service "POP3"
set service "RWW"
set service "HTTP MAIL & RDP"
exit
set policy id 10 from "Untrust" to "Trust"  "Any" "MIP(xxx.xxx.xxx.xxx)" "FTP" permit
set pppoe name "Bell"
set pppoe name "Bell" username "dsl user" password "*******************"
set pppoe name "Bell" idle 0
set pppoe name "Bell" interface untrust
set pppoe name "Bell" auto-connect 5
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.ca.pool.ntp.org"
set ntp server backup1 "1.ca.pool.ntp.org"
set ntp server backup2 "2.ca.pool.ntp.org"
set ntp max-adjustment 3600
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set enable-source-routing
exit
set vrouter "trust-vr"
set enable-source-routing
unset add-default-route
exit

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Unable to pass traffic through an L2TP vpn connection (Netscreen 5GT)

Hi,

 

If u able to ping trust interface IP (10.10.1.2) then i think their is no problem with VPN configuration. Check gateway on your LAN, it should be 10.10.1.2.

 

Can u tell me the topology of ur network? Specially What is the position of ur primary router? Is any relation b/w netscreen and ur primary router?

 

Thanks

 

Kashif

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Visitor
SilicaGel
Posts: 5
Registered: ‎05-06-2008
0

Re: Unable to pass traffic through an L2TP vpn connection (Netscreen 5GT)

Hi Kashif,

The network is basically a Star topology..  Possibly a hybrid star..  (Main switches in the IT room, then some other switches in certain parts of the office.)

As far as gateways go, I have two routers.  The first router (netgear) is 10.10.1.1, and is the primary (default) gateway on almost all machines.

 

The 5GT (10.10.1.2) is assigned as the default gateway only on the mail server (10.10.1.14).

 

There are no logical routes or references between the two routers, although they are physically plugged into the same switch.

 

I realize that having two gateways may be a problem in the long run, but right now, I can't even ping 10.10.1.14, which is physically plugged into the 5GT, and has the 5GT as it's default gateway.

 

Thanks.

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Unable to pass traffic through an L2TP vpn connection (Netscreen 5GT)

Hi,

 

when dialup vpn users form tunnel with netscreen and want to access machined behind the netscreen then their gateway of those machined should be trust interface of netscreen.

 

Hope this solves ur problem

 

Thanks

 

Kashif

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Visitor
SilicaGel
Posts: 5
Registered: ‎05-06-2008
0

Re: Unable to pass traffic through an L2TP vpn connection (Netscreen 5GT)

That sounds logical to me, however, I can't set the default gateway on the dialup vpn machines.  (When I do an IPCONFIG, the default gatway line is blank.)  (If I go into TCP/IP Properties, there is no gateway tab.)

 

Is there a way for me to setup the default gateway for dialup vpn users on the netscreen?  So that it assigns this gateway to them when the establish the tunnel?

 

Thanks.

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Unable to pass traffic through an L2TP vpn connection (Netscreen 5GT)

Hi,

 

u dont need to set default gateway on dialup vpn users. They vl get it from ISP when connected to internet. I was talking about the machines in ur LAN. If u want that dialup users after making tunnel with netscreen access the machines in ur LAN, u should set gateway on ur LAN machines 10.10.1.2 (which is IP of tust interface of netscreen bcs through this traffic is returning to dialup users not through ur primary router)

 

Thanks

 

Kashif

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Visitor
SilicaGel
Posts: 5
Registered: ‎05-06-2008
0

Re: Unable to pass traffic through an L2TP vpn connection (Netscreen 5GT)

Ok, I have the gateway set to 10.10.1.2 on one machine (mail server).  This is the machine that I'm trying to Ping without success.  (I realize I won't be able to connect directly to other computers with the wrong gateway, but I'll work on that problem if I have to.)  (Right now I only need to access the mail server through VPN).

 

Any other suggestions?

 

Thanks.

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Unable to pass traffic through an L2TP vpn connection (Netscreen 5GT)

Your problem is the Netscreen doesn't support proxy ARP for addresses in the IP pool. Here is what I see.

 

Your trust interface IP and subnet mask: 

set interface trust ip 10.10.0.0/16

 

Your VPN IP pool:

set ippool "l2-pool" 10.10.10.100 10.10.10.250

The address pool are all addresses that are part of the same subnet as your trust interface. So when a host on your local LAN tries to ARP for one of the IP pool addresses, no one will respond because the 5GT doesn't support proxy-arp. The reason why you are able to successfully just the 5GT trust interface is because the 5GT knows how to get to the IP pool hosts and doesn't need to ARP for those addresses.

 

Try changing your IP pool to a different subnet than your trust interface (i.e. 10.20.x.x subnet). Then be sure that any hosts that need to be reachable by the VPN clients have a route to that subnet or default route pointing to the 5GT trust interface.

 

-Richard

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.