Netscreen10-VPN

David Gillett dgillett at NIKU.COM
Thu Mar 8 16:38:56 EST 2001 

  I've found something in the configs that confuses *me*; it might or might
not be relevant.

  On each NetScreen, you appear to have defined one Manual Key VPN tunnel
and one AutoKey VPN tunnel.  Your outgoing policy rules say "Encrypt", but
where I'd expect to see the name of the tunnel definition to use, I instead
see "*".
  [I've never done anything on ours with AutoKey tunnels, so my gut
inclination is to blow away the AutoKey definitions and see if that fixes
the problem.  I'd also enable logging and see how the tests that fail get
logged differently from those that succeed.]

David Gillett
Senior Network Engineer
(650) 701-2702
Niku Corp. "Transforming the Service Economy"



-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of L.
David Leija
Sent: Thursday, March 08, 2001 11:17 AM
To: VPN at SECURITYFOCUS.COM
Subject: Fwd: Netscreen10-VPN


Thanks for the replies. I'll try to fill in some of the holes you guys
pointed out. Here you go.

Outbound encryption is identically configured on both boxes. If this was not
true, how would I be able to ping any host on Lan1 from Host2?

I'm using 2port NAT
I've minimized the number of policies, I have only one outbound policy(the
VPN) on each box and I don't even have an inbound policy on either box.

This is a site-to-site VPN, not a site-dialin client VPN.
Tunnel definitions match on both boxes
I have, for simplicity, removed inbound policies on both boxes and still
experience the same results(can access lan2 from lan2, but can't access lan2
from lan1)
Host1 cannot ping untrusted interface of Netscreen1 but can ping its trusted
interface.
I am not routing uncrypted traffic.

How can I use these boxes as routers in 2port NAT mode?

If it were a routing problem, I'd think that I could not Telnet from Host2
to Host1 as Telnet is a TCP session application that requires ack packets
from Host1 to Host2 which would be lost with routing problems.


I don't want to turn this into a project, I know you all have jobs. I do
appreciate your patience though. I've included configuration information a
few of you asked for in the attatched text files.

>From: "L. David Leija" <ldl1971 at HOTMAIL.COM>
>Reply-To: "L. David Leija" <ldl1971 at HOTMAIL.COM>
>To: VPN at SECURITYFOCUS.COM
>Subject: Netscreen10-VPN
>Date: Wed, 7 Mar 2001 18:04:55 -0700
>
>Labsetup Visual Description:-
>[Host1]-{Lan1}-[Netscreen1]-{VPN_Over_X-Over_Cable}-[Netscreen2]-{Lan2}-[Ho
st2]
>
>Labsetup Verbal Description:-
>2 Netscreen boxes with their untrusted interfaces connected with a
>cross-over cable.
>Hosts each are connected to the trusted inteface of each Netscreen box.
>Manual Key VPN configured between LAN1 and LAN2
>
>What works:-
>I can ping from Host2 to the untrusted interface of Netscreen1
>I can ping from Host2 to the trusted interface of Netscreen1
>I can ping from Host2 to the interface of Host1
>I can telnet from Host2 to the interface of Host1
>
>What doesn't work:-
>I cannot ping from Host1 to the untrusted interface of Netscreen2
>I cannot ping from Host1 to the trusted interface of Netscreen2
>I cannot ping from Host1 to the interface of Host2
>I cannot telnet from Host1 to the interface of Host2
>
>Additional:-
>I haven't noticed anything that obvious in the Netscreen routing tables. If
>there were a routing problem, I doubt the icmp replies would find thier way
>back to Host2 on pinging Host1. Is there some policy issue that I'm
>missing?
>I can't understand why only 1/2 of the tunnel works. That just doesn't make
>any sense. TIA
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>VPN is sponsored by SecurityFocus.COM

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list