netscreen100 VPN
Jose Muniz
MuniX-1 at PACBELL.NET
Wed Jun 14 04:42:29 EDT 2000
Make sure that you have a SA after sending a
few ICMP's
ns100> get sa
If you got an SA then do
ns100> set adm sys-ip 0.0.0.0
then do a
ns100> set interface trust ping
and you should be able to ping the trusted from a host on the trusted
side of the local vpn.
So the ICMP will go from the host that you are typing at to
the local VPN throu the Internet the remore VPN and
hit the trusted interface.
Simple Huh?
If you do not have a SA, then check the policies out.
Just forghet about averything, meditate and concentrate
and you ll see that it is all common sence..
If it does not makes sence it probably wont work...
Use IKE and make the policies the same, or check that
the SPI is the same as follows.
VPN A
Local 3001
Remote 3002
VPN B
Local 3002
Remote 3001
You see the relation....
Check your routing..
Now if this does not work make sure that
your router has no access lists for IP 50 and or 51
this is ESP and HA. And UDP 500 for the ISAKMP [IKE].
If this does not work then go to sleep and try tomorrow...
Cheers..
Jose Muniz
> qzhu wrote:
>
> Hello, there..
>
> I got a problem when I try to build VPN connection between our company
> and the other office. The netscreen100 firewall works fine, I can ping
> each boxs' untrust IP. But I can not ping the trust IP which is behind
> the firewall. I use the manual key, and put this VPN policy on the top
> of outgoing policies page.
> The two boxes are behind routers. I don't if I need to modify to
> routers. Any help would be much appreciated.
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list