Hello,
I have a Netscreen-25 running in transparent mode and sitting in
front of a class C address block:
Internet -> V1-Untrust -> [NS-25-Transparent] -> V1-Trust -
> 207.154.X.0/24
The setup is very simple compared to what I've seen being discussed
in the docs and mailing list archives.
Up until now, we've been using it for firewall and IDS duties without
problems. Learning the VPN capabilities has been fun but I'm
currently being blocked by the final thing on my "see if I can get
this to work" list.
I'm trying to create a Dialup VPN policy that will let me use an IP
pool consisting of a couple of IPs from the /24 block and I suspect
I'm making a simple routing mistake. The sheer number of virtual/
physical interfaces and zones is giving me too many opportunities to
mess up.
Using the VPNTracker IPSEC client on my powerbook it was actually
pretty easy to set up Host-to-Network connections. Both the "simple"
per-user methods as well as the Xauth enabled Mode Config
provisioning is working out just fine when I don't assign virtual IP
addresses.
If I don't assign addresses from a pool, everything looks fine. I can
make the VPN and Xauth connection, SSH to a box sitting on the /24
block and confirm that the box thinks I've logged in from 192.168.x
or whatever internal private IP my home wireless gateway has
assigned. It was surprisingly easy to get this working.
Ideally what I want is for traffic existing the tunnel at the
Netscreen to be assigned public IP addresses belonging to the same
subnet as the /24 block operating in the V1-Trust zone.
What does work:
- If the VPN IP pool consists of a single IP address matching the
default gateway 207.154.x.1 then it works. I can start the tunnel,
SSH to a box and the box sees me logging in from the .1 address
What does not work
- Any other IP from the /24 range. The VPN connection is made but no
traffic passes. If I SSH to the NS-25 a few times I see the login
failures logged as coming from "0.0.0.0". Watching the IPSEC logs
locally I can see that Mode Config is happening just fine - the VPN
is handing me the proper IP from the public pool
I'm guessing this is a routing problem. My Dialup VPN policy is
active on the V1-Untrust zone yet the public /24 block lives on the
other interface in the V1-Trust zone. I'm starting to think that the
public IP handed off to the client is simply unable to make the jump
from V1-Untrust to V1-Trust.
My interfaces look like this:
> Interfaces in vsys Root:
> Name IP Address Zone MAC VLAN
> State VSD
> eth1 0.0.0.0/0 V1-Untrust 0012.1ea3.c3a0 -
> U -
> eth2 0.0.0.0/0 V1-Trust 0012.1ea3.c3a5 -
> U -
> eth3 0.0.0.0/0 V1-DMZ 0012.1ea3.c3a6 -
> D -
> eth4 0.0.0.0/0 Null 0012.1ea3.c3a7 -
> D -
> vlan1 207.154.X.3/24 VLAN 0012.1ea3.c3af 1
> U -
> null 0.0.0.0/0 Null 0000.5e00.0100 -
> U 0
>
And routes look like this:
IPv4 Dest-Routes for <trust-vr> (3 entries)
------------------------------------------------------------------------
--------
ID IP-Prefix Interface Gateway P Pref
Mtr Vsys
------------------------------------------------------------------------
--------
* 18 0.0.0.0/0 vlan1 207.154.17.1 S 20
1 Root
* 17 207.154.X.3/32 vlan1 0.0.0.0 H 0
0 Root
* 16 207.154.X.0/24 vlan1 0.0.0.0 C 0
0 Root
Any thoughts, tips or pointers to other documentation & resources
would be appreciated.
Regards,
Chris
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
|