Some more info:
We are having difficulty implementing a Netscreen Remote VPN with a new Juniper SSG 520M in a Branch Office. We have an existing SSG-520 in our Datacenter with almost identical config which is working fine.
The config on the Branch Office firewall has been copied from that on the Datacenter so both VPNs are configured identically. The client is a laptop connected via an ADSL router with Netscreen Remote installed and an identity for each VPN/Firewall. Both VPNs connect successfully, the Datacenter VPN works fine, the Branch Office VPN doesn’t.
On the Branch Office VPN when pinging a server on the VPN we can see the traffic in the firewall logs and arriving at the server’s NIC (using wireshark) we can also see the packet leave the server, and a reply is shown in the Firewall log.
The only difference we have found is in the traffic leaving the firewall down the tunnel in the debug logs below.
Data center Firewall: Juniper ScreenOS 5.4.0r1.0
Branch Office Firewall: Juniper ScreenOS 5.4.0r6.0
Debug on return Packets:
Branch Office Firewall
****** 4921596.0: <Trust/ethernet0/0> packet received [60]******
ipid = 24717(608d), @2e4ae910
packet passed sanity check.
ethernet0/0:**BranchOfficeServerIP**/512->**ClientLaptopIP**/11008,1(0/0)<Root>
Not IKE nor NAT-T nor ESP protocol.
existing session found. sess token 4
flow got session.
flow session id 63969
existing vector list 5-56b1b80.
skipping pre-frag
going into tunnel 4000000d.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 0000000d
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
ipsec encrypt done
put packet(4a23ac0) into flush queue.
remove packet(4a23ac0) out from flush queue.
**** jump to packet:**BranchOfficeFWPublicIP**->**ClientADSLPublicIP**
out encryption tunnel 4000000d gw:**BranchOfficeNextHopIP**
no more encapping needed
send out through normal path.
flow_ip_send: ea4b:**BranchOfficeFWPublicIP**->**ClientADSLPublicIP**,50 => ethernet0/2(112) flag
0x0, vlan 0
mac 009069f3747e in session
**** pak processing end.
Datacenter Firewall - this is working correctly
****** 21816786.0: <Trust/ethernet0/0> packet received [60]******
ipid = 58583(e4d7), @2e60d910
packet passed sanity check.
ethernet0/0:**DataCenterServerIP**/512->**ClientLaptopIP**/14848,1(0/0)<Root>
Not IKE nor NAT-T nor ESP protocol.
existing session found. sess token 4
flow got session.
flow session id 57828
existing vector list 5-672a650.
skipping pre-frag
going into tunnel 4000002c.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 0000002c
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
ipsec encrypt done
put packet(49da9c0) into flush queue.
remove packet(49da9c0) out from flush queue.
**** jump to packet:**DataCenterFWPublicIP**->**ClientADSLPublicIP**
out encryption tunnel 4000002c gw:**DataCenterNextHopIP**
no more encapping needed
flow_send_vector_, vid = 0, is_layer2_if=0
**** pak processing end.