[vpn-help] VPN client gateway address from Juniper SSG5

[Matthew Grooms]

On 9/9/2010 4:36 PM, tdlatest at aim.com wrote:
> Hi,
> I am running Shrew windows client 2.1.6 on Windows 7 32bit. When
> connecting to Juniper SSG5, there is no issues however VPN client
> doesn't have gateway address. When I added IP/subnet to topology entry,
> I could get online using local gateway (otherwise no Internet access)
> but I need to use the routing info entered in Juniper SSG5 when VPN is
> established. Is there any way I can choose the gateway as Juniper SSG5
> when VPN is established?

I don't think I fully understand your issue. I am going to make a guess 
and assume that you want to automatically pull the remote topology from 
the SSG without entering the networks by hand into the VPN client's site 
configuration under the policy tab. If that is what your asking, I don't 
believe its possible. The SSG doesn't allow the network topology lists 
to be communicated automatically to the client.

What you are describing is a split tunnel. In this configuration, only 
traffic destined to a network behind your gateway will traverse the 
tunnel. All other traffic is handled by your local internet connection.

For this to work, you need to either ...

1) Change the Policy Generation Level to 'shared' under the policy tab 
in your VPN Client site configuration.

2) Leave the Policy Generation Level set to 'auto' ( which will default 
to 'unique' ) and add each of the remote networks as 'include' networks 
under the policy tab in your VPN client site configuration. The gateway 
must also be configured to allow each network to be negotiated during 
phase2 using separate inbound and outbound policies. ( think multiple 
networks configured like 10.1.2.0/24 is in the Juniper SSG howto ).

Hope this helps,

-Matthew