Netscreen10-VPN

Renuka Nadkarni renuka_nadkarni at YAHOO.COM
Thu Mar 8 13:00:42 EST 2001 

1) Check the default route on the Netscreen-2
firewall.
Your VPN is up since you can ping host1(trusted) to
host2 (trusted).
I think in your case the untrusted IP address of the
other netscreen should be the default route since you
do not have a router in between.
2) in your VPN policy make sure that the host-2 IP
address does not fall in any other subnet like the
management interface or so. For eg- I have an IP
address of host-2 (214.35.76.2) same as that of
untrusted network and a management platform on the
untrusted network (214.35.76.4). Now I define host
group behind the VPN tunnel as 214.35.76.0/24). Then
the pings get lost. I have seen this happen so you
have to check VPN policy.


--- "L. David Leija" <ldl1971 at HOTMAIL.COM> wrote:
> Labsetup Visual Description:-
>
[Host1]-{Lan1}-[Netscreen1]-{VPN_Over_X-Over_Cable}-[Netscreen2]-{Lan2}-[Host2]
>
> Labsetup Verbal Description:-
> 2 Netscreen boxes with their untrusted interfaces
> connected with a
> cross-over cable.
> Hosts each are connected to the trusted inteface of
> each Netscreen box.
> Manual Key VPN configured between LAN1 and LAN2
>
> What works:-
> I can ping from Host2 to the untrusted interface of
> Netscreen1
> I can ping from Host2 to the trusted interface of
> Netscreen1
> I can ping from Host2 to the interface of Host1
> I can telnet from Host2 to the interface of Host1
>
> What doesn't work:-
> I cannot ping from Host1 to the untrusted interface
> of Netscreen2
> I cannot ping from Host1 to the trusted interface of
> Netscreen2
> I cannot ping from Host1 to the interface of Host2
> I cannot telnet from Host1 to the interface of Host2
>
> Additional:-
> I haven't noticed anything that obvious in the
> Netscreen routing tables. If
> there were a routing problem, I doubt the icmp
> replies would find thier way
> back to Host2 on pinging Host1. Is there some policy
> issue that I'm missing?
> I can't understand why only 1/2 of the tunnel works.
> That just doesn't make
> any sense. TIA
>
>
>
_________________________________________________________________
> Get your FREE download of MSN Explorer at
> http://explorer.msn.com
>
> VPN is sponsored by SecurityFocus.COM


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list