ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Need Dialup VPN to access different network segments

10.15.08   |  
‎10-15-2008 02:34 PM

I have a terminal that has succesfully established and connected a VPN to my netscreen firewall with Ike user (using netscreen remote). However it can only connect to network 192.168.1.x - I've been unsuccesful in trying to connect to my other networks 192.168.2.x, 192.168.3.x, etc.

 

Any pointers on how to procede? Thanks!

4 REPLIES
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author TipPeru
‎08-26-2015 01:27 AM

Re: Need Dialup VPN to access different network segments

10.15.08   |  
‎10-15-2008 05:23 PM

Hi,

 

What is the network and subnet mask that you have configured on your netscreen remote client??

 

If you configured 192.168.1.0/24 then it will only route 192.168.1.0 network down the vpn. If you want to access other subnets then you need to do 192.168.0.0/16, this will send all 192.168.x.0 networks down the tunnel.

 

Remember you will also have to change the policy on the firewall to match the new subnet 192.168.0.0/16

 

Regards

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Need Dialup VPN to access different network segments

10.16.08   |  
‎10-16-2008 06:38 AM

Hi TipPeru,

 

You need to be careful with the proxy ID's on this issue. Using a /16 should work as a solution though. Just make sure that the proxy-IDs match on the firewall too.

 

Regards,

A.

ScreenOS Firewalls (NOT SRX)

Re: Need Dialup VPN to access different network segments

10.16.08   |  
‎10-16-2008 11:19 AM
Thanks! My local support company couldn't figure this one out for 6 weeks now! I myself have had to learn and read manuals upon manuals, trying out different aproaches... thank you very much!
ScreenOS Firewalls (NOT SRX)

Re: Need Dialup VPN to access different network segments

10.22.08   |  
‎10-22-2008 02:08 PM

Hi all,

The solution assumes you can summarize to /16. What if summarization is not desired or not possible for various reasons. I have similar problem where I initially had one internal segment accessible. I now want another discontiguous segment to be added. When I try to add the new subnet in the policy, I get an error message "Multiple addresses/services are not supported at current stage for bidirectional VPN policy".

 

Any pointers on what I need to do.

  

Thanks,

/Dan