[vpn-help] Bidirectional VPN shrewsoft client <> netscreen
Ben Barker
ben at bbarker.co.uk
Thu Dec 17 15:02:09 CST 2009
How strange. We have a bidirectional policy on the netscreen, and can
initiate the VPN from the remote client. From the remote client, we can ping
the local network, but not in reverse. We have set this VPN up over a 3g
link, but I can't see how that should matter. We are using XAuth
authentication. My netscreen config has the following policy lines:
set policy id 18 from "Untrust" to "Trust" "Dial-Up VPN" "192.168.13.0/24"
"ANY" tunnel vpn "dialupvpn" id 1 pair-policy 35 log
set policy id 35 from "Trust" to "Untrust" "192.168.13.0/24" "Dial-Up VPN"
"ANY" tunnel vpn "dialupvpn" id 1 pair-policy 18 log
set policy id 35
set log session-init
exit
I suspect the problem must lie with the netscreen rather than the shrewsoft
client, so this may not be the appropriate place to continue this query -
but any light anyone can shed would be most welcome!
On Thu, Dec 17, 2009 at 1:24 PM, VPN Client Product Support <
vpn-help at lists.shrew.net> wrote:
> Hi Ben,
>
> I have just checked that. I do not have any issues connecting back to the
> Shrew Client. A have created a bidirectional policy for that purpose, and
> anything goes smooth. Of course Shrew Client has to be connected; you can't
> initiate VPN connection from SSG side.
>
> Regards,
> Clemens Hoffmann
>
> ------------------------------
> *Von:* vpn-help-bounces at lists.shrew.net [vpn-help-bounces at lists.shrew.net]
> im Auftrag von VPN Client Product Support [vpn-help at lists.shrew.net]
> *Gesendet:* Donnerstag, 17. Dezember 2009 09:56
> *An:* VPN Client Product Support
> *Betreff:* Re: [vpn-help] Bidirectional VPN shrewsoft client <> netscreen
>
> Thanks - I'll give it a go today. So what I was attempting was not
> possible with Shrewsoft client alone?
>
> Cheers,
>
> Ben
>
> On Thu, Dec 17, 2009 at 2:22 AM, VPN Client Product Support <
> vpn-help at lists.shrew.net> wrote:
>
>> Ben,
>>
>> Since this is not related to Shrew I'm emailing you directly. Have a
>> look at pfSense for setting up a gate-to-gate VPN tunnel. You can use IPSec
>> or OpenSSL.
>>
>> Best,
>>
>> Frank Pikelner
>>
>> On 2009-12-16, at 6:29 PM, "VPN Client Product Support" <
>> vpn-help at lists.shrew.net> wrote:
>>
>> Hi,
>>
>> I have used the shrewsoft client for a while, and have succesfully
>> configured it to connect to a netscreen VPN endpoin (ns5gt running screenOS
>> 5.40r8.0)
>>
>> I am now trying to set up a bidirectional VPN such that not only can I see
>> the LAN to which the netscreen is connected, but machines on that LAN can
>> see my machine. After much trying myself, looking at routing policies and
>> the like, I have not got very far. I also looked at the shrewsoft config
>> guide here:
>>
>> <http://www.shrew.net/support/wiki/HowtoJuniperSsg>
>> http://www.shrew.net/support/wiki/HowtoJuniperSsg
>>
>> Which seemed to mirror pretty closely what I had already, but only dealt
>> with inbound traffic from the remote client.
>>
>> Is there a way to acheive what I am attempting, and if so is there any
>> information I could provide that would better help diagnose the problem I am
>> having?
>>
>> Cheers,
>>
>> Ben
>>
>> _______________________________________________
>>
>> vpn-help mailing list
>> vpn-help at lists.shrew.net
>> http://lists.shrew.net/mailman/listinfo/vpn-help
>>
>>
>> _______________________________________________
>> vpn-help mailing list
>> vpn-help at lists.shrew.net
>> http://lists.shrew.net/mailman/listinfo/vpn-help
>>
>>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091217/4e387d42/attachment-0002.html>
More information about the vpn-help
mailing list