ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

dialup VPN not passing traffic

I have the Dialup VPN configured and as per

 

KB4772

or

KB6623

 

The VPN is up but I am unable to pass traffic over it, ping as an example. I followed another thread:

 

Try the following :

 

- Edit your VPN policy

- Go in advanced configuration

- Activate the source NAT with Egress Interface

 

I didn't get the happiness that the Hulk got. :<:smileywink:

 

Any ideas?

 

Thanks so much!!

 

-rha

 

Trusted Expert
Posts: 417
Registered: ‎01-29-2008
0 Kudos

Re: dialup VPN not passing traffic

Hi,

 

If u post ur configuration then it will help us to diagnose ur problem but remember to hide ur public IP addresses. One thing which normally occur with problem like u r facing is that dialup vpn pool is same as trust subnet thats why vpn is up but traffic not pass. Try to use different subnet for dialup vpn users which should not use any where in network.

 

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Super Contributor
Posts: 162
Registered: ‎12-20-2007
0 Kudos

Re: dialup VPN not passing traffic

Hi Biker,

 

This kind of issue can appear if there is a NAT device in the middle of your tunnel , is it your case ?

 

If yes try to activate Nat Traversal and UDP checksum in your configuration ( on both device )

Menu VPN , Advanced IKE , Gateway , Edit your Gateway and go in Advanced Setting.

 

Regards,

 

 

 

 

Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

[ Edited ]

Kashif Rana,

 

My dialup network is on another LAN. Thanks

 

Sylvain,

 

I do have NAT Traversal and checksum checked, You mentioned both side. Is there any setting in the Netscreen Remote configuration? I didn't see anything relating to NAT Traveral. Thanks

 

I am attaching my config

 

Thanks to all for your kind help!

Message Edited by biker on 07-16-2008 06:24 AM
Trusted Expert
Posts: 417
Registered: ‎01-29-2008
0 Kudos

Re: dialup VPN not passing traffic

According to my perception if vpn is able to esablish then there is no issue of NAT traversal.
Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Distinguished Expert
Posts: 755
Registered: ‎11-06-2007
0 Kudos

Re: dialup VPN not passing traffic

I agree with Kashif-Rana. If a NAT device in the network were the issue then you would not even complete phase 1. Also NetScreen-Remote enables nat-traversal by default so that shouldn't be the problem. Your SSG configs look correct. Can I assume that your NetScreen-Remote has your trusted subnet for remote party address? 

 

You also should not need to enable NAT per se on your policy. I also assume that your PC hosts on your trust side all have a route for your IP pool addresses or default route pointing to the SSG, right? If so, then I would recommend running 'debug flow basic' on your SSG to see what is happening with your IPSec data traffic.  You can set your ffilter as src-ip of your NetScreen-Remote public IP address and also src-ip of whatever host you are trying to reach on your trust side (for return traffic). Post your output 'get db stream' for analysis.

 

-Richard

Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

Yes netscreen remote has my trusted subnet for remote party address.

 

Yes routing for PC hosts is in place. Right now I'm trying to establish a dialup VPN to just 1 trusted network that is defined. Once this is complete I'm going to go deeper into the network. 

 

Attached is the debug flow. 

Super Contributor
Posts: 162
Registered: ‎12-20-2007
0 Kudos

Re: dialup VPN not passing traffic

Hi All,

 

Ok it does not seem to be a NAT T problem in this case.

 

Just to specify my explanation. If there is a Nat device in a Site to Site envrionment and Nat T is not enable, you can be able to create phase 1 and phase 2 because IKE is not always disturb by NAT . The problem occur when you try to send data with the ESP protocol. The NAT device try to change the Layer 4 header and simply drop the packet cause it not able to change it.

 

I just thought it could be the problem here , but it s not Smiley Very Happy 

 

 

Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

Hi all,

 

I put a sniffer on the remote dial up PC and noticed that  there is 0 traffic on the PPP Safenet Virtual Adapter interface. So it appears the problem may exist on the remote dialup PC. I would think that I would see a least the icmp traffic attemping to route thru that interface????

 

Thanks

 

-rha 

Trusted Expert
Posts: 417
Registered: ‎01-29-2008
0 Kudos

Re: dialup VPN not passing traffic

Hi biker,

 

can u put of output of route print command on dialup vpn pc, when connected via vpn???

 

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

 192.168.241.5 is the safenet virual adapter.

 

Thanks for your help. I will be out of the office for a few days so this will be my last correspondence until Sunday.

 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\gdaliberty>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 11 43 b4 64 19 ...... Broadcom NetXtreme 57xx Gigabit Controller -
 Packet Scheduler Miniport
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   192.168.12.254  192.168.12.100       21
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.12.0    255.255.255.0   192.168.12.100  192.168.12.100       20
   192.168.12.100  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.12.255  255.255.255.255   192.168.12.100  192.168.12.100       20
    192.168.239.0    255.255.255.0    192.168.241.5   192.168.241.5       1
    192.168.241.5  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.241.5  255.255.255.255    192.168.241.5   192.168.241.5       1
  192.168.241.255  255.255.255.255    192.168.241.5   192.168.241.5       50
        224.0.0.0        240.0.0.0   192.168.12.100  192.168.12.100       20
        224.0.0.0        240.0.0.0    192.168.241.5   192.168.241.5       50
  255.255.255.255  255.255.255.255   192.168.12.100  192.168.12.100       1
  255.255.255.255  255.255.255.255    192.168.241.5   192.168.241.5       1
Default Gateway:    192.168.12.254
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\gdaliberty>

Highlighted
Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

Problem corrected....during testing I configures 2 security policies with the same trusted networks. I stopped one of them in the GUI and it disabled traffic to that trusted network. Once I deleted the stopped policy everything was good.

 

Thanks to Juniper support and very one here!!!! for helping. I didn't realize that what would happen. 

Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

Now that I have a basic dialup vpn working to a single subnet I need to configure it so that the dialup user can access several different subnets at our corporate site. I thought it would be as simple as adding the networks to the policy. Not so!!! Does any one have any ideas why this is so??? Can it be done?? There must be a way to configure this. Maybe I'm just to use to cisco. Smiley Mad
Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

I'm able to get a large range such as 192.168.0.0/16 but how can I add that network and 10.0.0.0/16 ???

 

Any ideas will be appreciated immensely.

 

Thanks


 

Trusted Expert
Posts: 441
Registered: ‎07-08-2008
0 Kudos

Re: dialup VPN not passing traffic

Hi,

 

Unfortunately from my experience you cant do this with a single policy on NSremote unless you want to tunnel all traffic 0.0.0.0/0. The only other way to do it is to create 2 security policies on NSremote one for each of the subnets and then have 2 policies on the firewall.

 

Although someone else might have a better suggestion. If you have got quite a few people connecting in over VPN then you might want to have a look at the Juniper SA which is a SSL VPN and is much more flexible.

 

Regards

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

Thanks for your reply. Thats too bad. It does a fine job with site to site VPN's. After reading the specs it seemed it would do everything that our aging Cisco 3000 (altiga vintage) did. It looks like I'll have go with the SSL VPN device or go back to a Cisco device. Hopefully someone will have an answer. If not It will only be a $3.5k loss and time to go back to Cisco.
Trusted Expert
Posts: 417
Registered: ‎01-29-2008
0 Kudos

Re: dialup VPN not passing traffic

Hi biker,

See its fact that if we are new to any box and we dont know its behaviour then simple issue becomes complex and increase our frustration. It happenened to me also Smiley Happy but now i feel very comfortable with all juniper boxes with the passage of time. Juniper products are much much stronger that cisco. The other factor is most people feel comfortable with cisco that cisco expertise are more than juniper so we can get help any where, but now juniper web-site, JTAC is much better in support and juniper expertise are now developing bcs now people going to know whats juniper strength is?

 
Any ways u can pass multiple subnets through dialup vpn tunnel using Route based dialup vpn. Refer to thread  http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=739

 

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Trusted Expert
Posts: 441
Registered: ‎07-08-2008
0 Kudos

Re: dialup VPN not passing traffic

Hi Kashif Rana,

 

Thanks for the info, I understand route based vpn on the firewall no problem. My questions is how do you configure the NSRemote client to send 2 networks down the tunnel say 10.1.1.0/24 and 192.168.1.0/24????

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Trusted Expert
Posts: 417
Registered: ‎01-29-2008

Re: dialup VPN not passing traffic

Hi,

 

u can use 0.0.0.0/0 in Remote Party identity field. But u have to disable split tunneling which is by default disable so that traffic for internet no pass through tunnel. But for internet connection u can use proxy or use untrust to untrust zone intrazone policy with policy based NAT.

 

 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
Posts: 21
Registered: ‎05-07-2008
0 Kudos

Re: dialup VPN not passing traffic

[ Edited ]

Thanks -Kashif Rana

 

I got the dialup VPN working from that thread. I'm getting there. Thank you. How about local LAN access on the NSR side? I've read some threads about split tunneling but haven't had any success.

 

Thanks for all the help.

 

Rick

Message Edited by biker on 07-27-2008 03:11 PM