Ok so i have been battling with a little problem, i have a netscreen ssg5 - 6.1.0r4.0, no juniper experience, I have managed to bypass the functions of the bt business hub and put into bridge mode and i am using the pppoe to authenticate the adsl so the netscreen gets my single static ip. I have also manage to configure my port forwarding using vips and policies to my internal devices ie mail server cctv and rdp access to various machines. I do not have any other switch or hub just using the ports on the netscreen, I have a wireless access point which has vlan tagging so on i have created some vlan type things using sub interfaces on the bgroup0 so bgroup0 has bindings to port 1- 6 with ip 192.168.10.1 untagged (DHCP OFF) a sub interface bgroup0.1 vlan tagged 1 with ip 192.168.11.1 (DHCP ON) , another sub interface bgroup0.2 vlan tagged 200 ip 172.16.16.1 (DHCP ON) all in the trust zone I then have my wireless ap connected on port 2 using the untagged ip of 192.168.10.49 an ssid for corp use on vlan 1 and an ssid for guest access on vlan 200 then in zones and for the trust zone i ticked the box block intra zone traffic so anythin connected on the guest ssid cant see anything in the other subnets, i then created a intra zone policy to allow traffic between the untagged vlan and vlan 1 subnets (192.168.10.0 - 192.168.11.0) so now my portable devices can connect to my corp network an see internal resources and i can have a guest ssid that cant see anything.
Ok so now you have the background on what i have managed to setup here the part i need help with ,
I have created a vpn using a pre shared key , no certs or anything fancy at home i have a draytek 2820 with a dynamic external ip address internal address 10.10.10.1 so i also use a no ip solution to give myself a hostname that auto updates,
So i have created a vpn using a hostname address on the ssg side and the external ip on my draytek side , all iset on the vpn side of things was the ike preshared key and the phase 1 and 2 proposals. i then used another policy to tunnel these to my internal network from external address setup in the address list (entered my home network and labelled as home ) now the vpn is working fine, in that respect from my home network i can ping the internal ips of the ssg and my server ping from 10.10.10.49 to 192.168.10.201 100 ! success and vice versa, now i want to also be able to access the various wireless devices i may have connected to the corp ssid (vlan 1) (subnet 192.168.11.0) so i thought this would be as easy as creating a new vpn policy to route traffic from my external network 10.10.10.0 or home as labelled in the address list to the other subnet 192.168.11.0 and allowing all traffic and putting this through the same tunnel , then on the draytek side adding a new route to the vpn to also have to the 192.168.11.0 in my remote network list, in the routing table when it connects shows as
192.168.10.0/ 255.255.255.0 via 81.149.137.206, VPN
192.168.11.0/ 255.255.255.0 via 81.149.137.206, VPN
but alas no i cannot get it to work i cannot get to the other subnet from home through the vpn can anyone shed some light i can upload configs if needed ?
would really appreciate it )