SNMP through Netscreen VPN

Jeff Dell jdell at TELEPLACE.COM
Tue Apr 10 07:36:59 EDT 2001 

When a packet leaves the Netscreen that is not destined for it's Trusted or
DMZ LANs the packet leaves the Netscreen with a source IP of the Untrusted
Port.  When the destination is the remote LAN through the VPN tunnel, the
Netscreen will not go through the tunnel, because the VPN policy reads

set policy outgoing "Inside Any" "Remote LAN" "ANY" Encrypt vpn-tunnel "VPN
to NY"

The source address is the problem here.  It reads "Inside Any".  The
Untrusted Ip is not a part of "Inside Any".  Therefore you must do the
following on the local (lets call this the CA Netscreen) to correct the
problem.

1.  Create an entry for the Untrusted IP in the Trust side of the  Address
book .  This will make this address available for selection in the Source
pull down menu for the Outgoing policies.

2.  Create a policy like the following.

set policy outgoing "Untrusted Port" "Remote LAN" "ANY" Encrypt vpn-tunnel
"VPN to NY"

This completes one side of the problem.  Basically, this policy will allow
anything with a source IP of the Untrusted Port and a destination port of
anything on the Remote LAN to be passed through the tunnel.  The packet will
get to the desired host on the other side of the tunnel.  However, the
packet will not get back, because the remote Netscreen does not have a
policy to allow this.  Therefore, we will need to do the following on the
remote Netscreen (lets call this the NY Netscreen).

1.  Create an Untrusted side address book entry for the Untrusted Port of
the original CA Netscreen.

2.  Create a policy like the following.

set policy outgoing "Inside Any" "CA Untrust IP" "ANY" Encrypt vpn-tunnel
"VPN to CA"

Now the Netscreens are configured such that packets that originate from the
CA Netscreen can reach the NY LAN and be returned.

Jeff

-----Original Message-----
From: L. David Leija [mailto:ldl1971 at HOTMAIL.COM]
Sent: Monday, April 09, 2001 8:50 PM
To: VPN at SECURITYFOCUS.COM
Subject: SNMP through Netscreen VPN


We've deployed 2 Netscreen-10's and successfully established an AutoKey
encrypted tunnel between them. We also utilize the SNMP/Perl monitoring
software, MRTG. We are able to monitor data from the Netscreen on the near
side of the tunnel, however we cannot get SNMP to talk to the remote
Netscreen through the tunnel. We can ping it fine, we also have complete
access to all resources on the remote site through the tunnel. However, SNMP
always gets "SNMP Error:no response received" when trying to establish a
session. Any clues on where the problem is? The VPN tunnel, the remote
Netscreen, or MRTG. I don't thinks its MRTG as it is currently monitoring
countless other devices successfully.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list