[vpn] ProhibitIpSec registry key and NS5

Tom McHugh TomM at spectrum-systems.com
Wed Dec 5 15:52:47 EST 2001 

Okay, now that I've read up on L2TP-over-IPSec a little more, I think I can
make a reasonable suggestion:  Read NetScreen's Concepts and Examples Guide!
:^)

It has some good doc on configuring your NS-5XP to act as an L2TP server,
but the key is that the IPSec tunnel *and* the L2TP tunnel are configured to
terminate at the NetScreen's *Untrust" interface IP.  Also, the tunnel must
be configured (on the 5XP itself) to be in Transport Mode.

The remote party ID would be (for most of the configurations I've done) IP
Subnet, with the subnet and netmask used at the NetScreen-5XP's trusted side
(e.g.: 192.168.1.0/255.255.255.0).

There's lots of doc on NetScreen website, including the C&E guide I
mentioned above, and their searchable knowledgebase is pretty good, but make
sure you use the option to search using *any* of the keywords (if you use
the "all" option, you'll find it's a little ... um ... sub-optimal).

Tom McHugh, Senior Systems Engineer
mailto:tomm at spectrum-systems.com

Spectrum Systems, Inc.
"Today's Technology--Solutions for Tomorrow"

11320 Random Hills Road, Suite 630
Fairfax, VA 22030-6001
703-591-7400 x218
703-591-9780 (Fax)
http://www.spectrum-systems.com/

Concerned about the security of your network?  Spectrum Systems' Network
Security products and services can take the worry out of protecting your
network.  Call us at 800-929-3781 or visit us at
http://www.spectrum-systems.com to learn more.


> -----Original Message-----
> From: Thierry Blanchard [mailto:thierry_b at ifrance.com]
> Sent: Wednesday, December 05, 2001 1:44 PM
> To: VPN (E-mail)
> Subject: RE: [vpn] ProhibitIpSec registry key and NS5
> 
> 
> You're right, I setup NSR to connect to the public IP address 
> of my NS5XP
> device.
> Then, what should I put to the remote party IP address and 
> should I use a
> Remote Gateway Tunnel Ip address?
> 
> > -----Original Message-----
> > From: Tom McHugh [mailto:TomM at spectrum-systems.com]
> > Sent: Wednesday, December 05, 2001 7:24 AM
> > To: 'Thierry Blanchard'; VPN (E-mail)
> > Subject: RE: [vpn] ProhibitIpSec registry key and NS5
> >
> >
> > NetScreen Remote isn't involved in any L2TP communications.
> > It may be that
> > your L2TP configuration is set up to connect to your L2TP
> > server's external
> > IP address.  If that's the case, NSR will never see the
> > request for the VPN
> > tunnel to be formed.
> >
> > Hope that helps!
> >
> > Tom McHugh, Senior Systems Engineer
> > mailto:tomm at spectrum-systems.com
> >
> > Spectrum Systems, Inc.
> > "Today's Technology--Solutions for Tomorrow"
> >
> > 11320 Random Hills Road, Suite 630
> > Fairfax, VA 22030-6001
> > 703-591-7400 x218
> > 703-591-9780 (Fax)
> > http://www.spectrum-systems.com/
> >
> > Concerned about the security of your network?  Spectrum
> > Systems' Network
> > Security products and services can take the worry out of
> > protecting your
> > network.  Call us at 800-929-3781 or visit us at
> > http://www.spectrum-systems.com to learn more.
> >
> >
> > > -----Original Message-----
> > > From: Thierry Blanchard [mailto:thierry_b at ifrance.com]
> > > Sent: Tuesday, December 04, 2001 6:53 PM
> > > To: VPN (E-mail)
> > > Subject: [vpn] ProhibitIpSec registry key and NS5
> > >
> > >
> > >
> > > When setting:
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Pa
> > > rameters\Prohi
> > > bitIpSec = 1
> > > my L2TP works but without encryption (no IpSec).
> > >
> > > When setting:
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Pa
> > > rameters\Prohi
> > > bitIpSec = 0
> > > I have an "Error 678 : There is no answer" on my W2K client.
> > > Even if I check "Require Encryption" in the DUN settings, I
> > > keep getting the
> > > same error.
> > > The Log Viewer of my Netscreen-Remote is not logging any
> > > activity. The log
> > > file on the NS5 firewall is also empy.
> > >
> > > Any idea?
> > >
> > > Thanks,
> > > Thierry.
> > >
> > >
> > > ______________________________________________________________
> > > ________________
> > > ifrance.com, l'email gratuit le plus complet de l'Internet !
> > > vos emails depuis un navigateur, en POP3, sur Minitel, 
> sur le WAP...
> > > http://www.ifrance.com/_reloc/email.emailif
> > >
> > >
> > >
> > > VPN is sponsored by SecurityFocus.com
> > >
> 
>  
> ______________________________________________________________
> ________________
> ifrance.com, l'email gratuit le plus complet de l'Internet !
> vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> http://www.ifrance.com/_reloc/email.emailif
> 
> 
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list