<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
p.Code, li.Code, div.Code
{mso-style-name:Code;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
background:#EEECE1;
font-size:9.0pt;
font-family:"Courier New";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.Sprechblasentext, li.Sprechblasentext, div.Sprechblasentext
{mso-style-name:Sprechblasentext;
mso-style-link:"Sprechblasentext Zchn";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
span.SprechblasentextZchn
{mso-style-name:"Sprechblasentext Zchn";
mso-style-priority:99;
mso-style-link:Sprechblasentext;
font-family:"Tahoma","sans-serif";}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#001B6F;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Hi Clemens,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Ok, that make sense; I was thinking that the tracert should at least identify the NS as the first hop, but what you’re saying is that the NS needs to reply for tracert to do that, right?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>So I then realised that I need to create a policy from Untrust to Untrust (i.e. Dialup-VPN to “other” office), but that results in an error:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>“Dialup-VPN must use IPSEC or L2TP in policy.”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Am I going in the wrong direction?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Cheers,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Geoff<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-family:"Tahoma","sans-serif"'> C.Hoffmann@ProSeS.de [mailto:C.Hoffmann@ProSeS.de] <br><b>Sent:</b> Tuesday, March 15, 2011 1:23 PM<br><b>To:</b> Geoff Bonallack<br><b>Subject:</b> RE: One policy not passing traffic to NS5GT<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=DE style='font-size:11.0pt;color:#001B6F'>Hi Geoff,<o:p></o:p></span></p><p class=MsoNormal><span lang=DE style='font-size:11.0pt;color:#001B6F'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#001B6F'>If the Netscreen is configured to drop traffic, there will be no answer at all.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#001B6F'>I assume you made sure you can use the "other" office from the NS site. Then I assume it is a routing issue. Did you use a VPN IP Pool different from LAN?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#001B6F'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#001B6F'>Clemens<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#001B6F'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=DE style='font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=DE style='font-family:"Tahoma","sans-serif"'> vpn-help-bounces@lists.shrew.net [mailto:vpn-help-bounces@lists.shrew.net] <b>On Behalf Of </b>Geoff Bonallack<br><b>Sent:</b> Monday, March 14, 2011 10:01 PM<br><b>To:</b> vpn-help@lists.shrew.net<br><b>Subject:</b> [vpn-help] One policy not passing traffic to NS5GT<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=DE><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Hi folks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>I’ve hooked the client (version 2.2.0) up to our Juniper NS5GT, and it’s working beautifully - except that one of my two policies isn’t passing traffic.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>The NS5 is connected to two locations:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>1. Our office LAN, 192.168.168/24 – I can ping from the client to machines in this network<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>2. To another Juniper at another office (via a tunnel), which has a LAN which looks like 192.168.22/24 – this is the one that fails<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>My policy for (2) above is: from Untrust To Trust, 192.168.22.0/24, ANY.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>I was thinking it was a policy problem at the Juniper end, but I’m confused by the output of tracert. For (1) above, it is:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> 1 431 ms 479 ms 519 ms a.b.c.d.juniper.ip [a.b.c.d]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> 2 527 ms 465 ms 407 ms mymachine.network.A.local [192.168.168.5]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>…which looks correct. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>For (2), it is:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Tracing route to mymachine.networkB.local [192.168.22.8]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>over a maximum of 10 hops:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> 1 * * * Request timed out.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> 2 * * * Request timed out.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>(and so on, until the max hops are reached).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>My Shrew client has policies of <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>192.168.22.0/255.255.255.0/INCLUDE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>192.168.168.0/255.255.255.0/INCLUDE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>So my first question is, if the client policy is set right, shouldn’t it be hitting the Juniper as the first hop, even if the rest of it fails?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Geoff<o:p></o:p></span></p></div></body></html>