[vpn-help] Accessing several networks
Uracs Tamás
uracs.tamas at peetandcook.hu
Thu Oct 27 02:06:50 CDT 2011
Hi All,
In addition to Kevin's suggestions, the "optain policy automatically" work only if the Zywall supports this feature. We are using Juniper devices (they aren't support the automatic policy), we overlapped all of our internal networks with a /22 subnet mask.
All the best,
Tamas
-----Original Message-----
From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
Sent: Thursday, October 20, 2011 5:20 AM
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Accessing several networks
On 10/19/2011 04:59 AM, Stéphane PERON wrote:
>
> Le 19/10/2011 09:28, Stéphane PERON a écrit :
>> Hi Tamas,
>>
>> thanks for you answer but It doesn't not work !!
>>
>> It only works for one network ...
>>
>> I use shrewsoft 2.2 ... and try to connect to a zywall usg 100 ...
>>
>> When I put for example, 192.168.1.0/24 as local policy in the zywall
>> ( phase 2 ) ... And 192.168.1.0 / 255.255.255.0 in the policy tab ..
>> ..I works very well
>>
>> But if i put a RANGE of ip adresse in the zywall like ,
>> 192.168.1.0-192.168.3.0 ... And try to add 192.168.1.0 /
>> 255.255.255.0,192.168.2.0 / 255.255.255.0, 192.168.3.0 /
>> 255.255.255.0 in the policy tab
>>
>> Il doesn't work !!! I can't contact networks
>>
> I'd like to add that, for the time being, I have created as much > shrewsoft connection as there are networks ..
> The problem is, that I can't contact all the sub-networks when all > connections are made ... routing for several VPN connections doesn't > work
Hi Stephane,
The problem, I think, is that for phase 2 negotiation to complete, the specified policies have to match on each side. However, when you define the policy as 192.168.1.0-192.168.3.0 on the Zywall and then put 192.168.1.0/255.255.255.0, 192.168.2.0/255.255.255.0,
192.168.3.0/255.255.255.0 in the Shrew policy, they do NOT appear to be the same when negotiation is done.
Easiest might be to try the checkbox on the Shrew policy tab that says "Obtain topology automatically".
You could also try this: Explicitly use 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 as the subnets in the the zywall. In Shrew, use 192.168.1.0/255.255.255.0, 192.168.2.0/255.255.255.0 and 192.168.3.0/255.255.255.0. This should make the policies match.
If the Zywall won't let you put in multiple subnets, you could use
192.168.0.0/22 (Zywall) and 192.168.0.0/255.255.252.0 (Shrew) although that might cause problems if 192.168.0.0 is used for something else.
Also, in the zywall, with the policy 192.168.1.0-192.168.3.0, how have you specified the subnet mask? I'm not actually sure how many IPs that would include in the third subnet - maybe just one single IP,
192.168.3.0 itself? Or does the Zywall default to a /24 if not specified?
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
More information about the vpn-help
mailing list