[vpn-help] VPN configuration fails after changing ip address of Juniper NetScreen 5GT

Wed Jan 18 19:28:11 CST 2012

On 01/18/2012 05:34 AM, Arne Schirmacher wrote:
> I have configured VPN access according to the tutorial at
> http://www.shrew.net/support/wiki/HowtoJuniperSsg. The internal
> (trusted) network is 192.168.1.0/24, after establishing the VPN I can
> connect to http://192.168.1.1 (the Juniper NetScreen 5GT) and to
> other web servers in the trusted network.
>
> When I configure the router to a different ip address 192.168.1.2 I
> can still establish the VPN connection and log in to the router at
> its new address, but it is not possible to reach any of the other
> systems in the trusted network. This is surprising as the new address
> is of course in the same subnet.
>
> When I plug in a notebook to one of the trusted ports in the router,
> I can successfully connect to each system in the trusted network. So
> it must be some problem with the VPN setup.
>
>
> I have also checked all router configuration settings to find a
> setting that has still the old ip 192.168.1.1, but all relevant
> settings are updated to the new ip address. Restart does not help
> either. The client setting also does not have any reference to the
> old or new ip address.
>
> The ip setting of the router was set using telnet and the command
> "set interface trust ip 192.168.1.2/24", the router itself was reset
> to factory settings before configuring VPN access.
>

Hi Arne,

My guess would be that the problem is not the VPN, it is the servers 
themselves.  My assumption is that the default gateway on the servers is 
still set to point to 192.168.1.1, so they are routing their response 
packets to the wrong IP.

Recall that the subnet that is handed out to the VPN clients is not part 
of the same subnet as the servers.  This means that when the servers try 
to respond to the VPN client's request, they think it needs to be 
routed, so they send it to their default gateway.  However, the way many 
firewalls that also act as a VPN gateway works is that when it receives 
traffic on a interface that is destined for an IP that it knows is part 
of a VPN, it auto-magically redirects it into the tunnel.  If the device 
that you now have on IP 192.168.1.1 does not know that the VPN IPs are 
reachable via 192.169.1.2, it will simply pass the traffic to it's 
upstream default gateway, etc...

So to fix, either put the Netscreen back on IP 192.168.1.1 or configure 
a static route on 192.168.1.1 that routes the VPN IPs to 192.168.1.2. 
(You can also put a static route on each of the servers instead, but 
that's more management work.)