[Vpn-help] Netscreen and routing

Q C.Hoffmann at ProSeS.de
Thu Nov 19 04:12:15 CST 2009 

It should not matter if you use route-based or policy-based VPN. Mine is PB, with an IP pool different from my network. If there are personal firewalls at work, you have to create an exception for the "foreign" IP addresses, of course.

________________________________
From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Andy LaFontaine
Sent: Wednesday, November 18, 2009 4:06 PM
To: Steve Vickerman; vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] Netscreen and routing

I believe the example uses policy based tunnel configuration. I use a different method of tunnel config on my netscreen router, which is slightly different than is outlined on the web site example. If you want to try, those differences are:

Under Network/Interfaces: created a new unnumbered Tunnel Interface in Untrust zone and specifying the WAN Ethernet interface port.

Under AutoKey IKE,
instead of Bind To “none”, I have bind to “Tunnel Interface” and set the tunnel created above.
Set checkbox Proxy-ID
Set Local IP/Netmask to the address range of the network served by the router (for example: 192.168.1.0/24 if all IPs on the router’s network are using 192.168.1.x addresses). In the shrew client config, under the Policy tab, I added the same address range.
Set remote IP/Netmask to 255.255.255.255/32
Under AutoKey Gateway: I used Aggressive Mode instead of Main (I think this is necessary for any client at a changeable IP)

Most of the other router settings are the same as the example, the policy I use though is just a basic permit/deny policy instead of having specific tunnel related config as in the example. When I originally set this up some time ago, I remember having similar issues to what you mention, and in my case it had to do with getting the Local IP/Netmask settings correct on the router and (originally) on the netscreen-remote client. I never actually tried the policy based tunnel config as in the example, but I know the shrewvpn client works well with my existing type of setup.



From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Steve Vickerman
Sent: Tuesday, November 17, 2009 10:49 AM
To: vpn-help at lists.shrew.net
Subject: [Vpn-help] Netscreen and routing

I have followed the example of how to connect shrew vpn to a netscreen 5gt firewall. The vpn connects ok and I am able to access the netscreen firewall ip and even the web gui. However I am unable to access any other ips’ on the remote (netscreen end) network.

Tried this on a couple of laptops with the same results.

Anybody have any ideas. I have checked the policies on the netscreen and shrew vpn ends
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091119/7574f837/attachment-0002.html>

More information about the vpn-help mailing list