[vpn-help] VPN client gateway address from Juniper SSG5
Matthew Grooms
mgrooms at shrew.net
Thu Sep 16 18:37:15 CDT 2010
On 9/9/2010 4:36 PM, tdlatest at aim.com wrote:
> Hi,
> I am running Shrew windows client 2.1.6 on Windows 7 32bit. When
> connecting to Juniper SSG5, there is no issues however VPN client
> doesn't have gateway address. When I added IP/subnet to topology entry,
> I could get online using local gateway (otherwise no Internet access)
> but I need to use the routing info entered in Juniper SSG5 when VPN is
> established. Is there any way I can choose the gateway as Juniper SSG5
> when VPN is established?
I don't think I fully understand your issue. I am going to make a guess
and assume that you want to automatically pull the remote topology from
the SSG without entering the networks by hand into the VPN client's site
configuration under the policy tab. If that is what your asking, I don't
believe its possible. The SSG doesn't allow the network topology lists
to be communicated automatically to the client.
What you are describing is a split tunnel. In this configuration, only
traffic destined to a network behind your gateway will traverse the
tunnel. All other traffic is handled by your local internet connection.
For this to work, you need to either ...
1) Change the Policy Generation Level to 'shared' under the policy tab
in your VPN Client site configuration.
2) Leave the Policy Generation Level set to 'auto' ( which will default
to 'unique' ) and add each of the remote networks as 'include' networks
under the policy tab in your VPN client site configuration. The gateway
must also be configured to allow each network to be negotiated during
phase2 using separate inbound and outbound policies. ( think multiple
networks configured like 10.1.2.0/24 is in the Juniper SSG howto ).
Hope this helps,
-Matthew
More information about the vpn-help
mailing list