« Return to Thread: Netscreen 25 routing question
Netscreen 25 routing question
by Bret Jordan
::
Rate this Message:
I have a Netscreen 25 in my office and have a Netscreen 5XP that I take
with me when I travel. I would like to have the VPN setup so that it
does not split tunnel. Basically it sends everything across the link.
I have this working with all the private address space behind my
Netscreen 25. However, I can not get traffic out to the Internet over
the VPN tunnel, can someone help me know what I am doing wrong......
Thanks so much in advance.
<oh a jump back to the BBS days for some ascii art>
Picture 1:
========
=======
192.168.201.1/24 (Trust) = NS5XP = DHCP (Untrust) -----------
4.1.2.2 (eth1) = NS25 = 10.128.0.5 (eth2)
========
=======
Picture 2:
=======
===============
4.1.2.2 (eth1) = NS25 = 10.128.0.5 (eth2) ----------------- 10.128.0.6
= Internal Router = ---- 10.0.0.0/8 (basically)
=======
===============
NS5XP Config:
Gateway = Static IP (4.1.2.2), Local ID (testaccount),
pre-g5-aes256-sha1, aggressive, enable NAT with UDP Checksum
AutoKey IKE = g5-esp-aes256-sha1, replay protection
Policy Untrust -> Trust = Any Any Any Tunnel
Policy Trust -> Untrust = Any Any Any Tunnel
Static Route = 0.0.0.0/0 -> Set by DHCP
NS25 Config:
Gateway = Dynamic IP with PeerID (testaccount), pre-g5-aes256-sha1,
aggressive, enable NAT with UDP Checksum
AutoKey IKE = g5-esp-aes256-sha1, replay protection
Policy Untrust -> Trust = Any Any Any Tunnel, SRC Nat to Egress IP
Policy Trust -> Untrust = Any Any Any Tunnel, SRC Nat to Egress IP
Static Route = 10.0.0.0/8 -> 10.128.0.6 on eth2
Static Route = 0.0.0.0/0 -> 4.1.2.1 on eth1
Like I said a computer sitting behind the NS5XP can talk to all the
device in 10.0.0.0/8 just fine. Basically all devices behind eth2 on
the NS25. However, the computer sitting behind the NS5XP can not talk
to anything on the Internet (no google for example). It is appears that
I do not have something setup right with my routes or with my policies.
When a packet destined to say Google comes out of the VPN tunnel on the
NS25, what happens next? Do it hit the route table? Do I need a
special policy?
Thanks in advance.
Bret
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
with me when I travel. I would like to have the VPN setup so that it
does not split tunnel. Basically it sends everything across the link.
I have this working with all the private address space behind my
Netscreen 25. However, I can not get traffic out to the Internet over
the VPN tunnel, can someone help me know what I am doing wrong......
Thanks so much in advance.
<oh a jump back to the BBS days for some ascii art>
Picture 1:
========
=======
192.168.201.1/24 (Trust) = NS5XP = DHCP (Untrust) -----------
4.1.2.2 (eth1) = NS25 = 10.128.0.5 (eth2)
========
=======
Picture 2:
=======
===============
4.1.2.2 (eth1) = NS25 = 10.128.0.5 (eth2) ----------------- 10.128.0.6
= Internal Router = ---- 10.0.0.0/8 (basically)
=======
===============
NS5XP Config:
Gateway = Static IP (4.1.2.2), Local ID (testaccount),
pre-g5-aes256-sha1, aggressive, enable NAT with UDP Checksum
AutoKey IKE = g5-esp-aes256-sha1, replay protection
Policy Untrust -> Trust = Any Any Any Tunnel
Policy Trust -> Untrust = Any Any Any Tunnel
Static Route = 0.0.0.0/0 -> Set by DHCP
NS25 Config:
Gateway = Dynamic IP with PeerID (testaccount), pre-g5-aes256-sha1,
aggressive, enable NAT with UDP Checksum
AutoKey IKE = g5-esp-aes256-sha1, replay protection
Policy Untrust -> Trust = Any Any Any Tunnel, SRC Nat to Egress IP
Policy Trust -> Untrust = Any Any Any Tunnel, SRC Nat to Egress IP
Static Route = 10.0.0.0/8 -> 10.128.0.6 on eth2
Static Route = 0.0.0.0/0 -> 4.1.2.1 on eth1
Like I said a computer sitting behind the NS5XP can talk to all the
device in 10.0.0.0/8 just fine. Basically all devices behind eth2 on
the NS25. However, the computer sitting behind the NS5XP can not talk
to anything on the Internet (no google for example). It is appears that
I do not have something setup right with my routes or with my policies.
When a packet destined to say Google comes out of the VPN tunnel on the
NS25, what happens next? Do it hit the route table? Do I need a
special policy?
Thanks in advance.
Bret
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
« Return to Thread: Netscreen 25 routing question
| Free Forum Powered by Nabble | Forum Help |
