04-10-2012 05:16 PM
Thanks for all the comments, but it looks like I'm moving backwards in my configuration. Is Policy based routing the way to go? I guess at this point, I just want the tunnel to come up and be able to move around on the trust network. I'm willing to try a different approach if need be. A simple setup will work. I can always add more security as I learn more about the device and policies. I'm really just frustrated right now and will try anything to move forward again. Thanks again.
04-10-2012 05:23 PM
I followed the instructions in KB22074 for the Shrew Soft VPN client. Now, I can't even bring the tunnel up. Before, I was able to bring the tunnel up, but the security assocations never established. Here is a snapshot of the event log. If anyone has ideas, let me know. I'll be happy to share any configs or snapshots you think might help out.
04-11-2012 02:29 AM
You should create an IP pool. An IP from this pool will be assigned to the client during the extended authentication (XAUTH). The pool can be mapped to the default XAUTH settings (VPNs -> AutoKeys Advanced -> XAuth settings), to the Gateway Configuration or to the user profile. The settings in the user profile override those in the GW configuration and the last override the default settings. The same rule holds true for the DNS and WINS server IPs which can be assigned the same way.
You can also assign static IPs to each user in the user profile. This is usually used if the access policies are very restrictive and each user should have has a specific set of access rights.
04-19-2012 08:09 PM
I've tried various ways of configuring this router. I even started from scratch and rebuilt the whole thing. I'm convinced I have some sort of problem with my policies and the configuration of the client. How does DNS figure into this? I haven't added anything as far as DNS entries into the VPN, just the DNS on the untrust interface (ethernet 0/0). I still can't get a security association to come up using the knowledge base you suggested in previous posts with the Shrewsoft client. That's my first problem and the one I need to concentrate on. My knowledge of subnetting has hampered this process as I am just starting out, so here's what I can tell you. The trust zone is set for 126.96.36.199/24. The VPN IP pool starts at 188.8.131.52. I know that the VPN needs to be on a different subnet than the trust zone or internal LAN. Can you please give me an idea of how the policies need to be set up? I don't need any special permissions or anything. I just need the VPN connection to be able to access the 184.108.40.206/24.
Thanks again for your help,
04-20-2012 01:08 AM
If you use the route-based VPN the policies and VPN itself are fully independent on each other. This is a great advantage of the route based VPN. The multiple and very granular policies can be created while the VPN stays the same. But if you need a simple access policy, the same for all dialup users, create an Untrust subnet object like 220.127.116.11/27 which covers the remote IP pool or a group of the host objects like 18.104.22.168/32 - 172.168.3.x/32. Configure a single Untrust-to-Trust policy:
Subnet object or Group -> 22.214.171.124/24 Service: Any.
If you assign no DNS in the IP pool the client uses DNS servers which are configured in TCP/IP. If internal servers should be used their addresses should be added to the pool configuration. If these servers are not located in the network 126.96.36.199/24 you need one more VPN Proxy ID (topology entry) both on the client and the FW. Otherwise the cllients will not be able to reach the DNS servers.
I assume that you use ScreenOS 6.3 which supports multiple Proxy IDs with the route-based VPN.