<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:x =
"urn:schemas-microsoft-com:office:excel" xmlns:p =
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =
"urn:schemas-microsoft-com:office:access" xmlns:dt =
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =
"urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b =
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc =
"urn:schemas-microsoft-com:office:odc" xmlns:oa =
"urn:schemas-microsoft-com:office:activation" xmlns:html =
"http://www.w3.org/TR/REC-html40" xmlns:q =
"http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc =
"http://microsoft.com/officenet/conferencing" XMLNS:D = "DAV:" XMLNS:Repl =
"http://schemas.microsoft.com/repl/" xmlns:mt =
"http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2 =
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda =
"http://www.passport.com/NameSpace.xsd" xmlns:ois =
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =
"http://schemas.microsoft.com/data/udc" xmlns:xsd =
"http://www.w3.org/2001/XMLSchema" xmlns:sub =
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs =
"http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf =
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p =
"http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf =
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss =
"http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi =
"http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi =
"http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver =
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels =
"http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp =
"http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t =
"http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m =
"http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl =
"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl =
"http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService"
XMLNS:Z = "urn:schemas-microsoft-com:" xmlns:st = ""><HEAD>
<META content="text/html; charset=Windows-1252" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18852">
<STYLE>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US link=blue vLink=purple>
<DIV dir=ltr align=left><FONT size=2 face="Comic Sans MS"><SPAN
class=899420910-19112009>It should not matter if you use route-based or
policy-based VPN. Mine is PB, with an IP pool different from my network. If
there are personal firewalls at work, you have to create an exception for the
"foreign" IP addresses, of course.</SPAN></FONT></DIV><BR>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px" dir=ltr>
<DIV dir=ltr lang=de class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> vpn-help-bounces@lists.shrew.net
[mailto:vpn-help-bounces@lists.shrew.net] <B>On Behalf Of </B>Andy
LaFontaine<BR><B>Sent:</B> Wednesday, November 18, 2009 4:06 PM<BR><B>To:</B>
Steve Vickerman; vpn-help@lists.shrew.net<BR><B>Subject:</B> Re: [Vpn-help]
Netscreen and routing<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">I believe the example uses
policy based tunnel configuration. I use a different method of tunnel config
on my netscreen router, which is slightly different than is outlined on the
web site example. If you want to try, those differences
are:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Under Network/Interfaces:
created a new unnumbered Tunnel Interface in Untrust zone and specifying the
WAN Ethernet interface port.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Under AutoKey
IKE,<o:p></o:p></SPAN></P>
<P style="TEXT-INDENT: 0.5in" class=MsoNormal><SPAN
style="COLOR: #1f497d">instead of Bind To “none”, I have bind to “Tunnel
Interface” and set the tunnel created above.<o:p></o:p></SPAN></P>
<P style="TEXT-INDENT: 0.5in" class=MsoNormal><SPAN style="COLOR: #1f497d">Set
checkbox Proxy-ID<o:p></o:p></SPAN></P>
<P style="TEXT-INDENT: 0.5in" class=MsoNormal><SPAN style="COLOR: #1f497d">Set
Local IP/Netmask to the address range of the network served by the router (for
example: 192.168.1.0/24 if all IPs on the router’s network are using
192.168.1.x addresses). In the shrew client config, under the Policy tab, I
added the same address range.<o:p></o:p></SPAN></P>
<P style="TEXT-INDENT: 0.5in" class=MsoNormal><SPAN style="COLOR: #1f497d">Set
remote IP/Netmask to 255.255.255.255/32<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Under AutoKey Gateway: I used
Aggressive Mode instead of Main (I think this is necessary for any client at a
changeable IP)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Most of the other router
settings are the same as the example, the policy I use though is just a basic
permit/deny policy instead of having specific tunnel related config as in the
example. When I originally set this up some time ago, I remember having
similar issues to what you mention, and in my case it had to do with getting
the Local IP/Netmask settings correct on the router and (originally) on the
netscreen-remote client. I never actually tried the policy based tunnel config
as in the example, but I know the shrewvpn client works well with my existing
type of setup.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<P class=MsoNormal><B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">From:</SPAN></B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">
vpn-help-bounces@lists.shrew.net [mailto:vpn-help-bounces@lists.shrew.net]
<B>On Behalf Of </B>Steve Vickerman<BR><B>Sent:</B> Tuesday, November 17, 2009
10:49 AM<BR><B>To:</B> vpn-help@lists.shrew.net<BR><B>Subject:</B> [Vpn-help]
Netscreen and routing<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN lang=EN-GB>I have followed the example of how to
connect shrew vpn to a netscreen 5gt firewall. The vpn connects ok and I am
able to access the netscreen firewall ip and even the web gui. However I am
unable to access any other ips’ on the remote (netscreen end)
network.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-GB><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-GB>Tried this on a couple of laptops with the
same results.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-GB><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-GB>Anybody have any ideas. I have checked the
policies on the netscreen and shrew vpn
ends<o:p></o:p></SPAN></P></DIV></BLOCKQUOTE></BODY></HTML>