Netscreen 25 routing question

>
> if you have only 1 vr you can still route default (0.0.0.0) over tunnel
> but you would need to add a more specific route for the NS25 and NS5
> gateway IPs out to next hop address on untrust (Internet) side
>
>  
> Christopher Groshong, CISSP
> Data and Voice Management
> Piper Jaffray & Co.
> 612.303.0165 phone  | US
> 612.282.3007 mobile | US
> christopher.d.groshong@...
>  
> -----Original Message-----
> From: nn-bounces@... [mailto:nn-bounces@...] On Behalf
> Of Bret Jordan
> Sent: Saturday, April 12, 2008 2:15 AM
> To: nn@...
> Subject: [nn] Netscreen 25 routing question
>
> I have a Netscreen 25 in my office and have a Netscreen 5XP that I take
> with me when I travel.  I would like to have the VPN setup so that it
> does not split tunnel.  Basically it sends everything across the link.  
> I have this working with all the private address space behind my
> Netscreen 25.  However, I can not get traffic out to the Internet over
> the VPN tunnel, can someone help me know what I am doing wrong......
> Thanks so much in advance.
>
> <oh a jump back to the BBS days for some ascii art>
>
> Picture 1:
>                                          
> ========
>
> =======
> 192.168.201.1/24 (Trust) = NS5XP =   DHCP (Untrust)   -----------
> 4.1.2.2 (eth1) = NS25 =  10.128.0.5 (eth2)
>                                          
> ========
>
> =======
>
>
> Picture 2:
>                        
> =======
>
> ===============
> 4.1.2.2 (eth1) = NS25 =  10.128.0.5 (eth2)  ----------------- 10.128.0.6
>
> = Internal  Router = ----  10.0.0.0/8 (basically)
>                        
> =======
>
> ===============
>
>
> NS5XP Config:
> Gateway = Static IP (4.1.2.2), Local ID (testaccount),
> pre-g5-aes256-sha1, aggressive, enable NAT with UDP Checksum
> AutoKey IKE = g5-esp-aes256-sha1, replay protection
> Policy Untrust -> Trust = Any Any Any Tunnel
> Policy Trust -> Untrust = Any Any Any Tunnel
> Static Route = 0.0.0.0/0 -> Set by DHCP
>
>
> NS25 Config:
> Gateway = Dynamic IP with PeerID (testaccount), pre-g5-aes256-sha1,
> aggressive, enable NAT with UDP Checksum
> AutoKey IKE = g5-esp-aes256-sha1, replay protection
> Policy Untrust -> Trust = Any Any Any Tunnel, SRC Nat to Egress IP
> Policy Trust -> Untrust = Any Any Any Tunnel, SRC Nat to Egress IP
> Static Route = 10.0.0.0/8 -> 10.128.0.6 on eth2
> Static Route = 0.0.0.0/0 -> 4.1.2.1 on eth1
>
>
> Like I said a computer sitting behind the NS5XP can talk to all the
> device in 10.0.0.0/8 just fine.  Basically all devices behind eth2 on
> the NS25.  However, the computer sitting behind the NS5XP can not talk
> to anything on the Internet (no google for example).  It is appears that
>
> I do not have something setup right with my routes or with my policies.
>
> When a packet destined to say Google comes out of the VPN tunnel on the
> NS25, what happens next?  Do it hit the route table?  Do I need a
> special policy?
>
> Thanks in advance.
>
> Bret
>
> _______________________________________________
> nn mailing list
> nn@...
> http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
>
> Guides for the journey. Piper Jaffray & Co. Since 1895. Member
> SIPC and
> FINRA. Learn more at piperjaffray.com. Piper Jaffray corporate
> headquarters is located at 800 Nicollet Mall, Minneapolis, MN
> 55402
>
> Piper Jaffray outgoing and incoming e-mail is electronically
> archived and recorded and is subject to review, monitoring
> and/or disclosure to someone other than the recipient. This e-
> mail may be considered an advertisement or solicitation for
> purposes of regulation of commercial electronic mail messages.
> If you do not wish to receive commercial e-mail communications
> from Piper Jaffray, go to:
> http://www.piperjaffray.com/do_not_email to review the details
> and submit your request to be added to the Piper Jaffray "Do
> Not E-mail Registry."
>
> For additional disclosure information see
> http://www.piperjaffray.com/disclosures
> _______________________________________________
> nn mailing list
> nn@...
> http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
>