Re: VPN to NETSCREEN
- From: "HS" <hs@xxxxxxxxxx>
- Date: Wed, 19 Apr 2006 08:17:46 +0100
Hi,
thank you for your post,
what i did find that i did not set up my network rule for the vpn, so it was
defaulting to NAT.
However i have now changed the setting to be 'Route' and will update the
group.
Cheers
HS
<r.homburg@xxxxxxxxxxxx> wrote in message
news:1144971307.368592.57750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
HS wrote:
Hi,
I need to set up a vpn connection from my ISA 2004 server to a remote
network. The remote firewall i have been told is netscreen V5
I have entered the required encryption and preshared keys as follows:
Local Tunnel Endpoint: 62.49.130.62
Remote Tunnel Endpoint: xxx.33.xxx.133
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication method: Pre-shared secret (xxxxx)
Security Association lifetime: 28800 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time rekeying: ON
Security Association lifetime: 3600 seconds
Kbyte rekeying: OFF
Remote Network @@ IP Subnets:
Subnet: 128.0.xxx.x56/255.255.255.255
Local Network 'Internal' IP Subnets:
Subnet: 10.3.204.0/255.255.255.0
Subnet: 10.10.8.0/255.255.252.0
Subnet: 10.62.8.0/255.255.255.0
Subnet: 10.232.0.0/255.255.240.0
Subnet: 128.100.0.0/255.255.0.0
Subnet: 130.24.0.0/255.255.0.0
Subnet: 145.55.34.0/255.255.254.0
Subnet: 145.55.40.0/255.255.254.0
Subnet: 172.16.0.0/255.255.0.0
Subnet: 172.21.0.0/255.255.0.0
Subnet: 192.159.100.208/255.255.255.254
Subnet: 192.159.100.192/255.255.255.240
Subnet: 192.159.100.128/255.255.255.192
Subnet: 192.159.100.0/255.255.255.128
Subnet: 192.159.100.221/255.255.255.255
Subnet: 192.159.100.254/255.255.255.255
Subnet: 192.159.100.222/255.255.255.254
Subnet: 192.159.100.252/255.255.255.254
Subnet: 192.159.100.248/255.255.255.252
Subnet: 192.159.100.240/255.255.255.248
Subnet: 192.159.100.224/255.255.255.240
Subnet: 192.168.3.0/255.255.255.0
Subnet: 192.168.10.0/255.255.255.0
Subnet: 193.176.59.0/255.255.255.0
Subnet: 194.10.123.0/255.255.255.0
Subnet: 197.197.1.0/255.255.255.0
however it does not connect and the remote end receive a 'invalid id'
When speaking to the remote VPN engineer he is saying that instead of the
vpn connection coming from my pc 192.159.100.xxx it is coming from my
server
on the 62.49.xxx.xxx address
any ideas?
many thnaks
Hi HS,
I set up an ipsec vpn from isa 2004 to remote ns5gt and ns25. I run
into a similar problem. When I try to connect from the isa console to
the remote ns5gt the isa uses his external nic ip as proxy id for the
tunnel negotiation. So it tells the remote netscreen that it want to
transfer data from his external-isa-ip to remote-lan-ip, and that is
absolutely nonsense. But isa acts different when I try to connect from
a pc behind the local nic. Then isa uses the lan-ip as proxy-id and the
tunnel works. Unfortunately I have no solution at the time.
Your problem seemed to be more complicated, because you have multiple
networks behind the isa. I would try to disable the proxy-id checking
on the remote netscreen, if this is possible in the current ns setup.
Otherwise the ns engineer have to define multiple phase2 tunnels, one
for each subnet.
.
- References:
- VPN to NETSCREEN
- From: HS
- Re: VPN to NETSCREEN
- From: r . homburg
- VPN to NETSCREEN
- Prev by Date: Site to Site VPN issues for SOME computers
- Next by Date: Re: Site to Site VPN issues for SOME computers
- Previous by thread: Re: VPN to NETSCREEN
- Next by thread: routing issue after pptp client connect to VPN server
- Index(es):
Relevant Pages
|
