07-15-2008 05:30 PM
I have the Dialup VPN configured and as per
The VPN is up but I am unable to pass traffic over it, ping as an example. I followed another thread:
Try the following :
- Edit your VPN policy
- Go in advanced configuration
- Activate the source NAT with Egress Interface
I didn't get the happiness that the Hulk got. :<
Thanks so much!!
07-15-2008 09:18 PM
If u post ur configuration then it will help us to diagnose ur problem but remember to hide ur public IP addresses. One thing which normally occur with problem like u r facing is that dialup vpn pool is same as trust subnet thats why vpn is up but traffic not pass. Try to use different subnet for dialup vpn users which should not use any where in network.
07-16-2008 05:36 AM
This kind of issue can appear if there is a NAT device in the middle of your tunnel , is it your case ?
If yes try to activate Nat Traversal and UDP checksum in your configuration ( on both device )
Menu VPN , Advanced IKE , Gateway , Edit your Gateway and go in Advanced Setting.
07-16-2008 06:21 AM - edited 07-16-2008 06:24 AM
My dialup network is on another LAN. Thanks
I do have NAT Traversal and checksum checked, You mentioned both side. Is there any setting in the Netscreen Remote configuration? I didn't see anything relating to NAT Traveral. Thanks
I am attaching my config
Thanks to all for your kind help!
07-16-2008 06:21 AM
07-16-2008 07:16 AM
I agree with Kashif-Rana. If a NAT device in the network were the issue then you would not even complete phase 1. Also NetScreen-Remote enables nat-traversal by default so that shouldn't be the problem. Your SSG configs look correct. Can I assume that your NetScreen-Remote has your trusted subnet for remote party address?
You also should not need to enable NAT per se on your policy. I also assume that your PC hosts on your trust side all have a route for your IP pool addresses or default route pointing to the SSG, right? If so, then I would recommend running 'debug flow basic' on your SSG to see what is happening with your IPSec data traffic. You can set your ffilter as src-ip of your NetScreen-Remote public IP address and also src-ip of whatever host you are trying to reach on your trust side (for return traffic). Post your output 'get db stream' for analysis.
07-16-2008 08:10 AM
Yes netscreen remote has my trusted subnet for remote party address.
Yes routing for PC hosts is in place. Right now I'm trying to establish a dialup VPN to just 1 trusted network that is defined. Once this is complete I'm going to go deeper into the network.
Attached is the debug flow.
07-16-2008 01:44 PM
Ok it does not seem to be a NAT T problem in this case.
Just to specify my explanation. If there is a Nat device in a Site to Site envrionment and Nat T is not enable, you can be able to create phase 1 and phase 2 because IKE is not always disturb by NAT . The problem occur when you try to send data with the ESP protocol. The NAT device try to change the Layer 4 header and simply drop the packet cause it not able to change it.
I just thought it could be the problem here , but it s not
07-16-2008 02:12 PM
I put a sniffer on the remote dial up PC and noticed that there is 0 traffic on the PPP Safenet Virtual Adapter interface. So it appears the problem may exist on the remote dialup PC. I would think that I would see a least the icmp traffic attemping to route thru that interface????
07-16-2008 09:18 PM
can u put of output of route print command on dialup vpn pc, when connected via vpn???
07-17-2008 03:20 AM
192.168.241.5 is the safenet virual adapter.
Thanks for your help. I will be out of the office for a few days so this will be my last correspondence until Sunday.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\gdaliberty>route print
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 11 43 b4 64 19 ...... Broadcom NetXtreme 57xx Gigabit Controller -
Packet Scheduler Miniport
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.12.254 192.168.12.100 21
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.12.0 255.255.255.0 192.168.12.100 192.168.12.100 20
192.168.12.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.12.255 255.255.255.255 192.168.12.100 192.168.12.100 20
192.168.239.0 255.255.255.0 192.168.241.5 192.168.241.5 1
192.168.241.5 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.241.5 255.255.255.255 192.168.241.5 192.168.241.5 1
192.168.241.255 255.255.255.255 192.168.241.5 192.168.241.5 50
18.104.22.168 240.0.0.0 192.168.12.100 192.168.12.100 20
22.214.171.124 240.0.0.0 192.168.241.5 192.168.241.5 50
255.255.255.255 255.255.255.255 192.168.12.100 192.168.12.100 1
255.255.255.255 255.255.255.255 192.168.241.5 192.168.241.5 1
Default Gateway: 192.168.12.254
C:\Documents and Settings\gdaliberty>
07-21-2008 09:45 AM
Problem corrected....during testing I configures 2 security policies with the same trusted networks. I stopped one of them in the GUI and it disabled traffic to that trusted network. Once I deleted the stopped policy everything was good.
Thanks to Juniper support and very one here!!!! for helping. I didn't realize that what would happen.
07-24-2008 07:07 AM
07-24-2008 02:41 PM
Unfortunately from my experience you cant do this with a single policy on NSremote unless you want to tunnel all traffic 0.0.0.0/0. The only other way to do it is to create 2 security policies on NSremote one for each of the subnets and then have 2 policies on the firewall.
Although someone else might have a better suggestion. If you have got quite a few people connecting in over VPN then you might want to have a look at the Juniper SA which is a SSL VPN and is much more flexible.
07-24-2008 04:49 PM
07-24-2008 09:53 PM
See its fact that if we are new to any box and we dont know its behaviour then simple issue becomes complex and increase our frustration. It happenened to me also but now i feel very comfortable with all juniper boxes with the passage of time. Juniper products are much much stronger that cisco. The other factor is most people feel comfortable with cisco that cisco expertise are more than juniper so we can get help any where, but now juniper web-site, JTAC is much better in support and juniper expertise are now developing bcs now people going to know whats juniper strength is?
Any ways u can pass multiple subnets through dialup vpn tunnel using Route based dialup vpn. Refer to thread http://forums.juniper.net/jnet/board/message?board
07-24-2008 10:50 PM
Hi Kashif Rana,
Thanks for the info, I understand route based vpn on the firewall no problem. My questions is how do you configure the NSRemote client to send 2 networks down the tunnel say 10.1.1.0/24 and 192.168.1.0/24????
07-25-2008 11:32 PM
u can use 0.0.0.0/0 in Remote Party identity field. But u have to disable split tunneling which is by default disable so that traffic for internet no pass through tunnel. But for internet connection u can use proxy or use untrust to untrust zone intrazone policy with policy based NAT.
07-27-2008 03:10 PM - edited 07-27-2008 03:11 PM
Thanks -Kashif Rana
I got the dialup VPN working from that thread. I'm getting there. Thank you. How about local LAN access on the NSR side? I've read some threads about split tunneling but haven't had any success.
Thanks for all the help.