Fwd: Netscreen10-VPN

L. David Leija ldl1971 at HOTMAIL.COM
Fri Mar 9 14:02:19 EST 2001 

Thanks again for your responses. I've got it working. As I had suspected, it
was something in my environment, not the Netscreen boxes that was preventing
bi-directional VPN resource access. I had a freshly installed W2K Advanced
server as Host1, and one of our imaged W2K Professional Laptops as Host2.
Our Laptop image includes a product called 'ZoneAlarm'. I had disabled this
service from the beginning. One of my co-workers said that sometimes
disabling ZoneAlarm is not enough. I had to reconfigure it to allow pings to
the local host and then turn it off. Once I did that, voila, the tunnel
became verifiably functional just as everyone said it should be all along.
Thanks.

>From: "L. David Leija" <ldl1971 at HOTMAIL.COM>
>Reply-To: "L. David Leija" <ldl1971 at HOTMAIL.COM>
>To: VPN at SECURITYFOCUS.COM
>Subject: Fwd: Netscreen10-VPN
>Date: Thu, 8 Mar 2001 12:17:01 -0700
>
>Thanks for the replies. I'll try to fill in some of the holes you guys
>pointed out. Here you go.
>
>Outbound encryption is identically configured on both boxes. If this was
>not
>true, how would I be able to ping any host on Lan1 from Host2?
>
>I'm using 2port NAT
>I've minimized the number of policies, I have only one outbound policy(the
>VPN) on each box and I don't even have an inbound policy on either box.
>
>This is a site-to-site VPN, not a site-dialin client VPN.
>Tunnel definitions match on both boxes
>I have, for simplicity, removed inbound policies on both boxes and still
>experience the same results(can access lan2 from lan2, but can't access
>lan2
>from lan1)
>Host1 cannot ping untrusted interface of Netscreen1 but can ping its
>trusted
>interface.
>I am not routing uncrypted traffic.
>
>How can I use these boxes as routers in 2port NAT mode?
>
>If it were a routing problem, I'd think that I could not Telnet from Host2
>to Host1 as Telnet is a TCP session application that requires ack packets
>from Host1 to Host2 which would be lost with routing problems.
>
>
>I don't want to turn this into a project, I know you all have jobs. I do
>appreciate your patience though. I've included configuration information a
>few of you asked for in the attatched text files.
>
>>From: "L. David Leija" <ldl1971 at HOTMAIL.COM>
>>Reply-To: "L. David Leija" <ldl1971 at HOTMAIL.COM>
>>To: VPN at SECURITYFOCUS.COM
>>Subject: Netscreen10-VPN
>>Date: Wed, 7 Mar 2001 18:04:55 -0700
>>
>>Labsetup Visual Description:-
>>[Host1]-{Lan1}-[Netscreen1]-{VPN_Over_X-Over_Cable}-[Netscreen2]-{Lan2}-[Host2]
>>
>>Labsetup Verbal Description:-
>>2 Netscreen boxes with their untrusted interfaces connected with a
>>cross-over cable.
>>Hosts each are connected to the trusted inteface of each Netscreen box.
>>Manual Key VPN configured between LAN1 and LAN2
>>
>>What works:-
>>I can ping from Host2 to the untrusted interface of Netscreen1
>>I can ping from Host2 to the trusted interface of Netscreen1
>>I can ping from Host2 to the interface of Host1
>>I can telnet from Host2 to the interface of Host1
>>
>>What doesn't work:-
>>I cannot ping from Host1 to the untrusted interface of Netscreen2
>>I cannot ping from Host1 to the trusted interface of Netscreen2
>>I cannot ping from Host1 to the interface of Host2
>>I cannot telnet from Host1 to the interface of Host2
>>
>>Additional:-
>>I haven't noticed anything that obvious in the Netscreen routing tables.
>>If
>>there were a routing problem, I doubt the icmp replies would find thier
>>way
>>back to Host2 on pinging Host1. Is there some policy issue that I'm
>>missing?
>>I can't understand why only 1/2 of the tunnel works. That just doesn't
>>make
>>any sense. TIA
>>
>>
>>_________________________________________________________________
>>Get your FREE download of MSN Explorer at http://explorer.msn.com
>>
>>VPN is sponsored by SecurityFocus.COM
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: NS1ConfCompSanitized.txt
Url: http://lists.shmoo.com/pipermail/vpn/attachments/20010309/d406ab13/attachment.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: NS2ConfCompSanitized.txt
Url: http://lists.shmoo.com/pipermail/vpn/attachments/20010309/d406ab13/attachment-0001.txt

More information about the VPN mailing list