[Vpn-help] Netscreen and routing
Andy LaFontaine
Andy.LaFontaine at ehc-global.com
Wed Nov 18 09:05:34 CST 2009
I believe the example uses policy based tunnel configuration. I use a
different method of tunnel config on my netscreen router, which is
slightly different than is outlined on the web site example. If you want
to try, those differences are:
Under Network/Interfaces: created a new unnumbered Tunnel Interface in
Untrust zone and specifying the WAN Ethernet interface port.
Under AutoKey IKE,
instead of Bind To "none", I have bind to "Tunnel Interface" and set the
tunnel created above.
Set checkbox Proxy-ID
Set Local IP/Netmask to the address range of the network served by the
router (for example: 192.168.1.0/24 if all IPs on the router's network
are using 192.168.1.x addresses). In the shrew client config, under the
Policy tab, I added the same address range.
Set remote IP/Netmask to 255.255.255.255/32
Under AutoKey Gateway: I used Aggressive Mode instead of Main (I think
this is necessary for any client at a changeable IP)
Most of the other router settings are the same as the example, the
policy I use though is just a basic permit/deny policy instead of having
specific tunnel related config as in the example. When I originally set
this up some time ago, I remember having similar issues to what you
mention, and in my case it had to do with getting the Local IP/Netmask
settings correct on the router and (originally) on the netscreen-remote
client. I never actually tried the policy based tunnel config as in the
example, but I know the shrewvpn client works well with my existing type
of setup.
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Steve Vickerman
Sent: Tuesday, November 17, 2009 10:49 AM
To: vpn-help at lists.shrew.net
Subject: [Vpn-help] Netscreen and routing
I have followed the example of how to connect shrew vpn to a netscreen
5gt firewall. The vpn connects ok and I am able to access the netscreen
firewall ip and even the web gui. However I am unable to access any
other ips' on the remote (netscreen end) network.
Tried this on a couple of laptops with the same results.
Anybody have any ideas. I have checked the policies on the netscreen and
shrew vpn ends
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091118/5a9762f1/attachment-0002.html>
More information about the vpn-help
mailing list