Dial-Up VPN inside the same SSG5 / between internal zones possible?



  • (I thought I posted it here, but it looks like I posted this problem somewhere else and I can’t remember, where 😐  (Probably that wasn’t a network forum at all…) So I’ll post it (again), I can’t find my previous post.)

    One of our clients changed their wifi to work only as public wifi, it was internal wifi before. So this is now for both guests and employees, before it was only for employees.
    They have a Dial-Up VPN with Radius (Win LDAP) authentication configured on the e0/0 interface (SSG5, 6.3.0r4.0, I configured it) and that works fine. After the change of wifi policy (internal->public) they wanted those employees who use wifi to get to internal network via the same Dial-Up VPN - very convenient.

    I tried to do that, no success. I tried to solve it in three different ways.
    1. I wanted to use the same Dial-Up VPN which is used for connecting from outside the office. I even set up DIP so PublicWifi clients go out to internet with a different IP-address. I made debug flow basic but I can’t understand the output, no clear sign of why it doesn’t work. Well, from the client side, the window just doesn’t appear where the credentials should be entered. And phase 1 won’t be created by the the logs of firewall.
    2. I created another Dial-Up VPN with local authentication (for testing) with outgoing interface being b0.4 - the same which is for public wifi internal network. I used this one because for the usual Dial-Up VPN the outgoing interface is e0/0 and the clients connect to this interface. In the same way I thought that if I make a Dial-Up VPN with public wifi interface - the one where clients want to connect to - then connecting to the address of b0.4 it should work. And I made the appropriate policy too. Doesn’t work. (Of course I made anothe rentry in Netscreen Remote for that - the IP-address to connect to is different in there.)
    3. I removed the DIP which was used for public wifi users and we took another cheaper device, used that same public IP-address (splitting the outer network with a small dumb switch for two devices), configured it, set up wifi access points behind that and - it works! So, they can connect via Dial-Up VPN when there is another device involved, but not when this is done in the same device. Since that cheap router needs to be replaced, I have to find the solution within SSG5. But how on earth?

    Well, I tried all that in another SSG5. I set up a special zone into untrust-vr, a virtual computer into that network and a routing 0.0.0.0/0 so that points to the same e0/0 and ISP gw - still no change. I added the output of debug ike det to this post, can somebody understand, why that doesn’t work? Or is it all principally impossible? I think I’ve done that once successfully with Win PPTP/RRAS thing, but not yet with IPSEC.
    Debug_ike_det_20110414.txt



  • I got the thing working. The successful version was nr. 2 in my first post. My mistake was that I made the VPN to the wrong address: I should do that for the same b0.4, not against the address of another zone. But after that it was pretty amusing to find a way not to make a second profile in Netscreen remote and Shrew client but use just one. A bit ugly though: via DNS.



  • Some additional information about that.
    I tried to do “debug flow basic” and got this kind of messages:

    wait for arp rsp for 1.2.3.4
    **** pak processing end.

    I read that this problem may happen when there is no default route with an IP-address set up, but that isn’t my case.
    I used both DIP and MIP to get this 1.2.3.4 working. If I would use only the SNAT from egress interface in the default outgoing rule for that zone where my inteface lies, then I don’t know what should I enter for filtering traffic for debug flow basic. At the moment I used
    id:0 src ip 1.2.3.4 dst ip 1.2.3.2
    (real IP-s replaced)


 

34
Online

38.4k
Users

12.7k
Topics

44.5k
Posts