ScreenOS Firewalls (NOT SRX)
Reply
Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

dialup VPN not passing traffic

I have the Dialup VPN configured and as per

 

KB4772

or

KB6623

 

The VPN is up but I am unable to pass traffic over it, ping as an example. I followed another thread:

 

Try the following :

 

- Edit your VPN policy

- Go in advanced configuration

- Activate the source NAT with Egress Interface

 

I didn't get the happiness that the Hulk got. :<:smileywink:

 

Any ideas?

 

Thanks so much!!

 

-rha

 

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: dialup VPN not passing traffic

Hi,

 

If u post ur configuration then it will help us to diagnose ur problem but remember to hide ur public IP addresses. One thing which normally occur with problem like u r facing is that dialup vpn pool is same as trust subnet thats why vpn is up but traffic not pass. Try to use different subnet for dialup vpn users which should not use any where in network.

 

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: dialup VPN not passing traffic

Hi Biker,

 

This kind of issue can appear if there is a NAT device in the middle of your tunnel , is it your case ?

 

If yes try to activate Nat Traversal and UDP checksum in your configuration ( on both device )

Menu VPN , Advanced IKE , Gateway , Edit your Gateway and go in Advanced Setting.

 

Regards,

 

 

 

 

Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

[ Edited ]

Kashif Rana,

 

My dialup network is on another LAN. Thanks

 

Sylvain,

 

I do have NAT Traversal and checksum checked, You mentioned both side. Is there any setting in the Netscreen Remote configuration? I didn't see anything relating to NAT Traveral. Thanks

 

I am attaching my config

 

Thanks to all for your kind help!

Message Edited by biker on 07-16-2008 06:24 AM
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: dialup VPN not passing traffic

According to my perception if vpn is able to esablish then there is no issue of NAT traversal.
Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: dialup VPN not passing traffic

I agree with Kashif-Rana. If a NAT device in the network were the issue then you would not even complete phase 1. Also NetScreen-Remote enables nat-traversal by default so that shouldn't be the problem. Your SSG configs look correct. Can I assume that your NetScreen-Remote has your trusted subnet for remote party address? 

 

You also should not need to enable NAT per se on your policy. I also assume that your PC hosts on your trust side all have a route for your IP pool addresses or default route pointing to the SSG, right? If so, then I would recommend running 'debug flow basic' on your SSG to see what is happening with your IPSec data traffic.  You can set your ffilter as src-ip of your NetScreen-Remote public IP address and also src-ip of whatever host you are trying to reach on your trust side (for return traffic). Post your output 'get db stream' for analysis.

 

-Richard

Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

Yes netscreen remote has my trusted subnet for remote party address.

 

Yes routing for PC hosts is in place. Right now I'm trying to establish a dialup VPN to just 1 trusted network that is defined. Once this is complete I'm going to go deeper into the network. 

 

Attached is the debug flow. 

Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: dialup VPN not passing traffic

Hi All,

 

Ok it does not seem to be a NAT T problem in this case.

 

Just to specify my explanation. If there is a Nat device in a Site to Site envrionment and Nat T is not enable, you can be able to create phase 1 and phase 2 because IKE is not always disturb by NAT . The problem occur when you try to send data with the ESP protocol. The NAT device try to change the Layer 4 header and simply drop the packet cause it not able to change it.

 

I just thought it could be the problem here , but it s not :smileyvery-happy: 

 

 

Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

Hi all,

 

I put a sniffer on the remote dial up PC and noticed that  there is 0 traffic on the PPP Safenet Virtual Adapter interface. So it appears the problem may exist on the remote dialup PC. I would think that I would see a least the icmp traffic attemping to route thru that interface????

 

Thanks

 

-rha 

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: dialup VPN not passing traffic

Hi biker,

 

can u put of output of route print command on dialup vpn pc, when connected via vpn???

 

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.