VPN virtual IP address allocation on a system running in transparent mode

Hello,

I have a Netscreen-25 running in transparent mode and sitting in  
front of a class C address block:

         Internet -> V1-Untrust -> [NS-25-Transparent]  -> V1-Trust -
 > 207.154.X.0/24

The setup is very simple compared to what I've seen being discussed  
in the docs and mailing list archives.

Up until now, we've been using it for firewall and IDS duties without  
problems.  Learning the VPN capabilities has been fun but I'm  
currently being blocked by the final thing on my "see if I can get  
this to work" list.

I'm trying to create a Dialup VPN policy that will let me use an IP  
pool consisting of a couple of IPs from the /24 block and I suspect  
I'm making a simple routing mistake. The sheer number of virtual/
physical interfaces and zones is giving me too many opportunities to  
mess up.

Using the VPNTracker IPSEC client on my powerbook it was actually  
pretty easy to set up Host-to-Network connections. Both the "simple"  
per-user methods as well as the Xauth enabled Mode Config  
provisioning is working out just fine when I don't assign virtual IP  
addresses.

If I don't assign addresses from a pool, everything looks fine. I can  
make the VPN and Xauth connection, SSH to a box sitting on the /24  
block and confirm that the box thinks I've logged in from 192.168.x  
or whatever internal private IP my home wireless gateway has  
assigned.  It was surprisingly easy to get this working.

Ideally what I want is for traffic existing the tunnel at the  
Netscreen to be assigned public IP addresses belonging to the same  
subnet as the /24 block operating in the V1-Trust zone.

What does work:

- If the VPN IP pool consists of a single IP address matching the  
default gateway 207.154.x.1 then it works. I can start the tunnel,  
SSH to a box and the box sees me logging in from the .1 address

What does not work

- Any other IP from the /24 range. The VPN connection is made but no  
traffic passes. If I SSH to the NS-25 a few times I see the login  
failures logged as coming from "0.0.0.0".  Watching the IPSEC logs  
locally I can see that Mode Config is happening just fine - the VPN  
is handing me the proper IP from the public pool


I'm guessing this is a routing problem. My Dialup VPN policy is  
active on the V1-Untrust zone yet the public /24 block lives on the  
other interface in the V1-Trust zone.  I'm starting to think that the  
public IP handed off to the client is simply unable to make the jump  
from V1-Untrust to V1-Trust.

My interfaces look like this:

And routes look like this:

IPv4 Dest-Routes for <trust-vr> (3 entries)
------------------------------------------------------------------------
--------
    ID          IP-Prefix      Interface         Gateway   P Pref    
Mtr     Vsys
------------------------------------------------------------------------
--------
*  18          0.0.0.0/0          vlan1    207.154.17.1   S   20      
1     Root
*  17    207.154.X.3/32          vlan1         0.0.0.0   H    0      
0     Root
*  16    207.154.X.0/24          vlan1         0.0.0.0   C    0      
0     Root



Any thoughts, tips or pointers to other documentation & resources  
would be appreciated.



Regards,
Chris

















_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn