: Netscreen10-VPN
Renuka Nadkarni
renuka_nadkarni at YAHOO.COM
Thu Mar 8 15:05:57 EST 2001
> I'm using 2port NAT
Did you say you are using NAT? Why?
If you are using the NetScreen in bridge mode then
IPSec will encapsulate a 10.0.0.0 n/w host(protected
host-1) and tunnel it to 12.0.0.0 n/w (protected
host-2). So you will be able to ping host-1 to host-2
but not in between like host-1 to Netscreen untrusted
because host-1 and host-2 are tunnel endpoints.
> Host1 cannot ping untrusted interface of Netscreen1
> but can ping its trusted
> interface.
Put Netscreen in bridge mode. It seems it is not set
to bridge traffic. This should work because the
Netscreen should be ablt to pass traffic destined to
trusted n/w.
> If it were a routing problem, I'd think that I could
> not Telnet from Host2
By using NATing you can route traffic between the
trusted hosts without IPSec. Make sure that the telnet
traffic is even encrypted. Sniff the packets.
--------------------------------------------------------
> I am not routing uncrypted traffic.
>
> How can I use these boxes as routers in 2port NAT
> mode?
>
> to Host1 as Telnet is a TCP session application that
> requires ack packets
> from Host1 to Host2 which would be lost with routing
> problems.
>
> > >From: "L. David Leija" <ldl1971 at HOTMAIL.COM>
> >Reply-To: "L. David Leija" <ldl1971 at HOTMAIL.COM>
> >To: VPN at SECURITYFOCUS.COM
> >Subject: Netscreen10-VPN
> >Date: Wed, 7 Mar 2001 18:04:55 -0700
> >
> >Labsetup Visual Description:-
>
>[Host1]-{Lan1}-[Netscreen1]-{VPN_Over_X-Over_Cable}-[Netscreen2]-{Lan2}-[Ho
> st2]
> >
> >Labsetup Verbal Description:-
> >2 Netscreen boxes with their untrusted interfaces
> connected with a
> >cross-over cable.
> >Hosts each are connected to the trusted inteface of
> each Netscreen box.
> >Manual Key VPN configured between LAN1 and LAN2
> >
> >What works:-
> >I can ping from Host2 to the untrusted interface of
> Netscreen1
> >I can ping from Host2 to the trusted interface of
> Netscreen1
> >I can ping from Host2 to the interface of Host1
> >I can telnet from Host2 to the interface of Host1
> >
> >What doesn't work:-
> >I cannot ping from Host1 to the untrusted interface
> of Netscreen2
> >I cannot ping from Host1 to the trusted interface
> of Netscreen2
> >I cannot ping from Host1 to the interface of Host2
> >I cannot telnet from Host1 to the interface of
> Host2
> >
> >Additional:-
> >I haven't noticed anything that obvious in the
> Netscreen routing tables. If
> >there were a routing problem, I doubt the icmp
> replies would find thier way
> >back to Host2 on pinging Host1. Is there some
> policy issue that I'm
> >missing?
> >I can't understand why only 1/2 of the tunnel
> works. That just doesn't make
> >any sense. TIA
> >
> >
>
>_________________________________________________________________
> >Get your FREE download of MSN Explorer at
> http://explorer.msn.com
> >
> >VPN is sponsored by SecurityFocus.COM
>
>
_________________________________________________________________
> Get your FREE download of MSN Explorer at
> http://explorer.msn.com
>
> >
> ns10-1-> get policy outgoing
> pid name direction source
> destination service action
> s t o
> 1 Dallas Side outgoing Trusted-Dallas
> LosColinas ANY Encrypt
> *
>
> ns10-1-> get policy incoming
> pid name direction source
> destination service action
> s t o
>
> ns10-1-> get address trust
> * * * * * Trusted Group Addresses *
> * * * *
> No groups have been defined
> * * * * * Trusted Individual
> Addresses * * * * *
> id address netmask flag name
> comment
> 00000000 0.0.0.0 0.0.0.0 02 Inside
> Any All Trusted
> Addr
> 00000001 192.40.0.0 255.255.0.0 00
> Trusted-Dallas Dallas Network
> 00000002 192.40.3.250 255.255.255.255 00
> DallasTrustedWS The Dell
> Server
>
> ns10-1-> get address untrust
> * * * * * Untrusted Group Addresses
> * * * * *
> No groups have been defined
> * * * * * Untrusted Individual
> Addresses * * * * *
> id address netmask flag name
> comment
> 20000000 0.0.0.0 0.0.0.0 03
> Outside Any All Untrusted
> Addr
> 20000001 255.255.255.255 255.255.255.255 03
> Dial-Up VPN Dial-Up VPN
> Addr
> 20000002 118.134.12.0 255.255.255.0 01
> Untrusted_Dallas Dallas Network
> 20000003 192.41.0.0 255.255.0.0 01
> LosColinas
> LosColinasNetwork
>
> ns10-1-> get interface trust
> interface trust, status up/half-duplex
> IP 192.40.1.12, netmask 255.255.0.0, MAC
> xxxx.xxxx.xxxx
> manage IP 192.40.1.12, gateway IP 192.40.3.50, MAC
> 0000.0000.0000
> ping enabled, telnet enabled, SCS enabled, SNMP
> enabled
> NS-Global enabled, web enabled, ident-reset
> disabled
> bandwidth: physical 10000kbps, configured
> 10000kbps, current 0bps
> total configured gbw 0kbps, total
> allocated gbw 0kbps
> ns10-1-> get interface untrust
> interface untrust, status up/half-duplex
> DHCP disabled
> IP 118.134.12.80, netmask 255.255.255.0, MAC
> xxxx.xxxx.xxxx
> manage IP 0.0.0.0, gateway IP 118.134.12.79, MAC
> xxxx.xxxx.xxxx
> ping enabled, telnet enabled, SCS enabled, SNMP
> enabled
> NS-Global enabled, web enabled, ident-reset
> disabled
> bandwidth: physical 10000kbps, configured
> 10000kbps, current 0bps
> total configured gbw 0kbps, total
> allocated gbw 0kbps
>
> ns10-1-> get vpn
> Name Gateway RPlay Proposals
> Monitor Use Count
> --------------- --------------- -----
> --------------- ------- ---------
> AutoKey-2LC Dallas-LosColinas No
> nopfs-esp-des-md5 inactive 0
> Total VPN Auto: 1
>
> Name Local SPI Remote SPI Algorithm
> Monitor
> ManKey-Dallas-LosColinas 00001002 00001001
> esp:null/null off
> >
> ns10-2-> get policy outgoing
> pid name direction source
> destination service
> action s t o
> 1 LosColinas Side outgoing Trusted_LosColinas
> Dallas ANY
> Encrypt *
>
> ns10-2-> get policy incoming
> pid name direction source
> destination service
> action s t o
>
> ns10-2-> get address trust
> * * * * * Trusted Group Addresses *
> * * * *
> No groups have been defined
> * * * * * Trusted Individual
> Addresses * * * * *
> id address netmask flag name
> comment
> 00000000 0.0.0.0 0.0.0.0 02 Inside
> Any All Trusted
> Addr
> 00000001 192.41.0.0 255.255.0.0 00
> Trusted_LosColinas Los Colinas
> Network
> 00000002 192.41.3.10 255.255.255.255 00
> LosColinasTrustedLT The Dell
> Laptop
>
> ns10-2-> get address untrust
> * * * * * Untrusted Group Addresses
> * * * * *
> No groups have been defined
> * * * * * Untrusted Individual
> Addresses * * * * *
> id address netmask flag name
> comment
> 20000000 0.0.0.0 0.0.0.0 03
> Outside Any All Untrusted
> Addr
> 20000001 255.255.255.255 255.255.255.255 03
> Dial-Up VPN Dial-Up VPN
> Addr
> 20000002 118.134.12.0 255.255.255.0 01
> Untrusted_LosColinas Los
> Colinas Network
> 20000003 192.40.0.0 255.255.0.0 01 Dallas
> DallasNetwork
>
> ns10-2-> get interface trust
> interface trust, status up/half-duplex
> IP 192.41.1.10, netmask 255.255.0.0, MAC
> 0010.db05.f7b0
> manage IP 192.41.1.10, gateway IP 192.41.3.10, MAC
> 0001.039a.4b85
> ping enabled, telnet enabled, SCS enabled, SNMP
> enabled
> NS-Global enabled, web enabled, ident-reset
> disabled
> bandwidth: physical 10000kbps, configured
> 10000kbps, current 0bps
> total configured gbw 0kbps, total
> allocated gbw 0kbps
> ns10-2-> get interface untrust
> interface untrust, status up/half-duplex
> DHCP disabled
> IP 118.134.12.79, netmask 255.255.255.0, MAC
> 0010.db05.f7b1
> manage IP 0.0.0.0, gateway IP 118.134.12.80, MAC
> 0010.db05.74c1
> ping enabled, telnet enabled, SCS enabled, SNMP
> enabled
> NS-Global enabled, web enabled, ident-reset
> disabled
> bandwidth: physical 10000kbps, configured
> 10000kbps, current 0bps
> total configured gbw 0kbps, total
> allocated gbw 0kbps
>
> ns10-2-> get vpn
> Name Gateway RPlay Proposals
> Monitor Use Count
> --------------- --------------- -----
> --------------- ------- ---------
> AutoKey-2Dallas Dallas-LosColinas No
> nopfs-esp-des-md5 inactive 0
> Total VPN Auto: 1
>
> Name Local SPI Remote SPI Algorithm
> Monitor
> ManKey-Dallas-LosColinas 00001001 00001002
> esp:null/null off
>
>
>
>
>
>
>
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list