[vpn-help] One policy not passing traffic to NS5GT
Geoff Bonallack
gb at stgroup.com
Mon Mar 14 16:01:05 CDT 2011
Hi folks,
I've hooked the client (version 2.2.0) up to our Juniper NS5GT, and it's working beautifully - except that one of my two policies isn't passing traffic.
The NS5 is connected to two locations:
1. Our office LAN, 192.168.168/24 - I can ping from the client to machines in this network
2. To another Juniper at another office (via a tunnel), which has a LAN which looks like 192.168.22/24 - this is the one that fails
My policy for (2) above is: from Untrust To Trust, 192.168.22.0/24, ANY.
I was thinking it was a policy problem at the Juniper end, but I'm confused by the output of tracert. For (1) above, it is:
1 431 ms 479 ms 519 ms a.b.c.d.juniper.ip [a.b.c.d]
2 527 ms 465 ms 407 ms mymachine.network.A.local [192.168.168.5]
...which looks correct.
For (2), it is:
Tracing route to mymachine.networkB.local [192.168.22.8]
over a maximum of 10 hops:
1 * * * Request timed out.
2 * * * Request timed out.
(and so on, until the max hops are reached).
My Shrew client has policies of
192.168.22.0/255.255.255.0/INCLUDE
192.168.168.0/255.255.255.0/INCLUDE
So my first question is, if the client policy is set right, shouldn't it be hitting the Juniper as the first hop, even if the rest of it fails?
Thanks,
Geoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110314/6715ed41/attachment-0001.html>
More information about the vpn-help
mailing list