[vpn] ProhibitIpSec registry key and NS5

Lisa Phifer lisa at corecom.com
Wed Dec 5 18:15:19 EST 2001


At 03:52 PM 12/5/2001 -0500, Tom McHugh wrote:
>The remote party ID would be (for most of the configurations I've done) IP
>Subnet, with the subnet and netmask used at the NetScreen-5XP's trusted side
>(e.g.: 192.168.1.0/255.255.255.0).

When NS-Remote is configured for tunnel mode, this is correct.
But this is transport mode IPsec. The Remote Party ID should be the LNS
(in this case, the NS's *untrusted* IP, not the trusted subnet).
"Connect using Security Gateway" should be unchecked.

My guess is that Thierry's NS-Remote policy is not correctly configured
to direct UDP 1701 over IPsec transport mode to the NS5's untrusted IP,
NS-Remote is disabled, or the NS5's untrusted IP is not being given to
DUN.

Lisa

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list