Hi,
I have configured DialUP VPN using Xauth in SSG140(6.2.0r3.0). everything is working fine except unable to access other branch networks which are connected through Site to Site VPN in the same SSG140.
For examble:
In Site A, i have configured 4 site-to-site VPN for different branches (Site B, C,D &E) and a DialUp VPN. From Netscreen Remote i could not access the site B,C,D& E networks but i can able to access Site A local subnet(Trust).
When i see the logs in the policy from Untrust to trust, it says traffic denied. Untrust intra zone traffic also not blocked.
I am using Untrust Zone for all VPN.
DialUp VPN IP Pool is 10.147.131.0/24
Policy:
set policy id 30 from "Untrust" to "Trust" "Dial-Up VPN" "SDVnet(10.0.0.0)" "ANY" tunnel vpn "Remote-VPN" id 0x6 pair-policy 31 log
set policy id 30
set policy id 31 from "Trust" to "Untrust" "SDVnet(10.0.0.0)" "Dial-Up VPN" "ANY" tunnel vpn "Remote-VPN" id 0x6 pair-policy 30 log
set policy id 31
Routing:
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet0/0 gateway 202.136.16X.XXX preference 20
set route 10.147.204.0/22 interface tunnel.1 preference 20
set route 10.147.208.0/23 interface tunnel.1 preference 20
set route 10.147.116.0/24 interface tunnel.2
set route 10.147.189.0/24 interface tunnel.3
set route 10.147.188.0/24 interface tunnel.3
set route 10.147.131.0/24 gateway 202.136.16X.XXX
set route 10.147.220.0/22 interface tunnel.4
set route 10.147.224.0/22 interface tunnel.4
set route 10.0.0.0/8 vrouter "trust-vr" preference 20 metric 1
set route 192.168.100.0/24 vrouter "trust-vr" preference 20 metric 1
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.0.0.0/8 interface ethernet0/9 gateway 10.147.128.5 preference 20
set route 10.147.204.0/22 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.208.0/23 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.116.0/24 vrouter "untrust-vr" preference 20 metric 1
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.189.0/24 vrouter "untrust-vr" preference 20 metric 1
set route 192.168.100.0/24 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.131.0/24 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.220.0/22 vrouter "untrust-vr" preference 20 metric 1
set route 10.147.224.0/22 vrouter "untrust-vr" preference 20 metric 1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
Plz See Logs
WSDSGEG1-> get db stream
****** packet decapsulated, type=ipsec, len=60******
ipid = 7496(1d48), @1d50411c
ethernet0/0:10.147.131.115/34560->10.147.222.5/512,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 10.147.131.115->10.147.222.5) in vr untrust-vr for vsd-0/flag-0/ifp-null
[ Dest] 18.route 10.147.222.5->10.147.222.5, to tunnel.4
routed (x_dst_ip 10.147.222.5) from ethernet0/0 (ethernet0/0 in 0) to tunnel.4
policy search from zone 1-> zone 1
policy_flow_search policy search nat_crt from zone 1-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.147.222.5, port 50267, proto 1)
policy_flow_search in tunnel pak_ptr policy: id: 30, from zone 1 -> 2
No policy matched for tunnel traffic, logging for:
VPN policy= 30: szone 1 dzone 1 pid 30 ports 800c45b iphdr 1d50411c
log this session (pid=30)
**** pak processing end.
****** packet decapsulated, type=ipsec, len=60******
ipid = 7497(1d49), @1d56911c
ethernet0/0:10.147.131.115/34816->10.147.222.5/512,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 10.147.131.115->10.147.222.5) in vr untrust-vr for vsd-0/flag-0/ifp-null
[ Dest] 18.route 10.147.222.5->10.147.222.5, to tunnel.4
routed (x_dst_ip 10.147.222.5) from ethernet0/0 (ethernet0/0 in 0) to tunnel.4
policy search from zone 1-> zone 1
policy_flow_search policy search nat_crt from zone 1-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.147.222.5, port 50011, proto 1)
policy_flow_search in tunnel pak_ptr policy: id: 30, from zone 1 -> 2
No policy matched for tunnel traffic, logging for:
VPN policy= 30: szone 1 dzone 1 pid 30 ports 800c35b iphdr 1d56911c
log this session (pid=30)
**** pak processing end.
****** packet decapsulated, type=ipsec, len=60******
ipid = 7499(1d4b), @1d5c511c
ethernet0/0:10.147.131.115/35072->10.147.222.5/512,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 10.147.131.115->10.147.222.5) in vr untrust-vr for vsd-0/flag-0/ifp-null
[ Dest] 18.route 10.147.222.5->10.147.222.5, to tunnel.4
routed (x_dst_ip 10.147.222.5) from ethernet0/0 (ethernet0/0 in 0) to tunnel.4
policy search from zone 1-> zone 1
policy_flow_search policy search nat_crt from zone 1-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.147.222.5, port 49755, proto 1)
policy_flow_search in tunnel pak_ptr policy: id: 30, from zone 1 -> 2
No policy matched for tunnel traffic, logging for:
VPN policy= 30: szone 1 dzone 1 pid 30 ports 800c25b iphdr 1d5c511c
log this session (pid=30)
**** pak processing end.
Please help on this
Thanks
Sona
Message Edited by sona on 09-08-2009 03:44 PM