VPN up, can't ping gateway

Rneinas · ‎03-16-2012

Hello,

I received a SSG5 router to play around with and get my feet wet in the world of routing. I configured a dialup VPN and I can get the client to connect and get an IP address, but I cannot ping the default gateway. Also, the VPN session only stays up for about 3 minutes then the security association expires. Not sure about that one either. Any help is greatly appreciated.

nikolay.semov · ‎03-15-2012

I'm assuming that by "default gateway" you mean the xx.xx.xx.1 address listed as gateway for eth0/0.

So, you have the gateway address of xx.xx.xx.1 in the Untrust zone, and the VPN client in the Untrust zone as well, but your dial-up VPN policy is for traffic between zone Untrust and Trust, hence there's no policy to facilitate traffic between the VPN client and the default gateway.

The SA would normally expire if there's no traffic (e.g. real traffic, or keep-alives, or something else). Depending on the client, it can be "dialed up" again when there's a need. To see if there's a problem, try, for example, pinging continuously an IP in your Trust zone from the VPN client, and see if the SA will get destroyed while doing that.

Rneinas · ‎03-16-2012

Thanks for the response. If the VPN is up and I have an IP, wouldn't I be able to ping the VPN router at 172.168.1.1? That was the test I was trying to perform.

nikolay.semov · ‎03-15-2012

I think you should be able to. But you're missing set interface bgroup0 manage ping.

Rneinas · ‎03-16-2012

Thank you, I'll give that a shot and report back with my findings.

Rneinas · ‎03-16-2012

No, I'm still unable to ping 172.168.1.1 or any IP in the trust zone. I did notice this notification pop up on the SSG5 monitor: VPN monitoring for VPN <vpnclient_tunnel> has deactivated the SA with ID 0x00008C. Could this have something to do with the VPN dropping the client after a couple of minutes?

nikolay.semov · ‎03-15-2012

What is the VPN client you're using? Could you please post the IP address of the client (not the VPN-assigned one) and a trace-route between the client and 172.168.1.1 before and after VPN is established.

Rneinas · ‎03-16-2012

I'm using Shrewsoft as the client. If there's a better one out there, let me know. As far as the traceroutes go, there isn't much to say. Before the VPN connection, it gets out to the internet and dies and when the VPN is connected, it doesn't go anywhere.

Rneinas · ‎03-16-2012

Sorry, the client IP address before connection to the VPN is 192.168.1.64.

nikolay.semov · ‎03-15-2012

You can check out the NetScreen Remote VPN Client, just in case something's up with the VPN client you're using now.

Also, you can enable logging on your VPN policies and see if the traffic gets logged there.

Then, try pinging something on the inside of the firewall (172.168.1.x).

Finally, we may need to run a debug session on the firewall to see what really is happening there.

VPN up, can't ping gateway

Re: VPN up, can't ping gateway

Re: VPN up, can't ping gateway

Re: VPN up, can't ping gateway

Re: VPN up, can't ping gateway

Re: VPN up, can't ping gateway

Re: VPN up, can't ping gateway

Re: VPN up, can't ping gateway

Re: VPN up, can't ping gateway

Re: VPN up, can't ping gateway