07-24-2008 04:49 PM
07-24-2008 09:53 PM
See its fact that if we are new to any box and we dont know its behaviour then simple issue becomes complex and increase our frustration. It happenened to me also but now i feel very comfortable with all juniper boxes with the passage of time. Juniper products are much much stronger that cisco. The other factor is most people feel comfortable with cisco that cisco expertise are more than juniper so we can get help any where, but now juniper web-site, JTAC is much better in support and juniper expertise are now developing bcs now people going to know whats juniper strength is?
Any ways u can pass multiple subnets through dialup vpn tunnel using Route based dialup vpn. Refer to thread http://forums.juniper.net/jnet/board/message?board
07-24-2008 10:50 PM
Hi Kashif Rana,
Thanks for the info, I understand route based vpn on the firewall no problem. My questions is how do you configure the NSRemote client to send 2 networks down the tunnel say 10.1.1.0/24 and 192.168.1.0/24????
07-25-2008 11:32 PM
u can use 0.0.0.0/0 in Remote Party identity field. But u have to disable split tunneling which is by default disable so that traffic for internet no pass through tunnel. But for internet connection u can use proxy or use untrust to untrust zone intrazone policy with policy based NAT.
07-27-2008 03:10 PM - edited 07-27-2008 03:11 PM
Thanks -Kashif Rana
I got the dialup VPN working from that thread. I'm getting there. Thank you. How about local LAN access on the NSR side? I've read some threads about split tunneling but haven't had any success.
Thanks for all the help.
07-28-2008 01:59 AM
Actually when u use 0.0.0.0/0 in remote party identity on NSR (u should configure route based dialup VPN on SSG) then all traffic (tunneled traffic, internet traffic, LAN traffic) will pass through tunnel. u can access internet through proxy or untrust to untrust traffic with source NAT on SSG.
07-28-2008 04:46 AM
I do have a route base VPN and all traffic does go over the tunnel. That is currently my problem all traffic goes over the tunnel. I cannot access local resources such as printers, routers, and other network devices on the local LAN. I need to be able to access the local LAN as well as Corporate resources.
Thanks you for your kind help.
07-30-2008 06:16 PM
You might have to use a different client other than netscreen remote. Have a look at http://www.shrew.net/ it is a free IPsec client so you can try it out. Think that this allows you to send multiple networks down a tunnel, you will then have to do a bit of trial and error on the firewall side. You will have to see what Proxy-IP is being sent by the client and then add that to the Phase 2 config to be able to get the VPN to connect (use your existing route based vpn setup that you have).
I havent tried this bit of software and cant test it as I dont have access to a netscreen firewall at the moment, but might help as the site says that its compatible. Let me know if you need some help wth the config.