Gateway problem about l2tp vpn with juniper ssg550



  • Hi,

    I use the juniper SSG550 to create a l2tp vpn.

    I have four ethernet ports :
    eth0/0 is trust zone, 10.2.0.0/16
    eht0/1 is dmz zone, 192.168.0.0/16
    eth0/2 is untrust zone, 59...* (connect to internet)
    eth0/3 is trust zone, 10.3.0.0/16

    Now I need the vpn connects to the eth0/3 zone, and the clients will be given the 10.3.. address

    the bellow is my config

    unset key protection enable
    set clock dst-off
    set clock ntp
    set clock timezone 0
    set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set alg appleichat enable
    unset alg appleichat re-assembly enable
    set alg sctp enable
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "netscreen"
    set admin password "nHFuMyrOIdyCcenFrscNeOFtiNCsxn"
    set admin http redirect
    set admin auth web timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    unset zone “V1-Trust” tcp-rst
    unset zone “V1-Untrust” tcp-rst
    set zone “DMZ” tcp-rst
    unset zone “V1-DMZ” tcp-rst
    unset zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “ethernet0/0” zone "Trust"
    set interface “ethernet0/1” zone "DMZ"
    set interface “ethernet0/2” zone "Untrust"
    set interface “ethernet0/3” zone "Trust"
    set interface ethernet0/0 ip 10.2.1.254/16
    set interface ethernet0/0 nat
    unset interface vlan1 ip
    set interface ethernet0/1 ip 192.168.1.254/16
    set interface ethernet0/1 nat
    set interface ethernet0/2 ip 58.210../29
    set interface ethernet0/2 route
    set interface ethernet0/3 ip 10.3.1.254/16
    set interface ethernet0/3 nat
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet0/0 ip manageable
    set interface ethernet0/1 ip manageable
    set interface ethernet0/2 ip manageable
    unset interface ethernet0/3 ip manageable
    set interface ethernet0/1 manage ssl
    set interface ethernet0/1 manage web
    set interface ethernet0/2 manage ping
    set interface ethernet0/2 manage ssl
    unset interface ethernet0/3 manage ping
    unset interface ethernet0/3 manage ssh
    unset interface ethernet0/3 manage telnet
    unset interface ethernet0/3 manage snmp
    unset interface ethernet0/3 manage ssl
    unset interface ethernet0/3 manage web
    set interface vlan1 manage mtrace
    set interface ethernet0/0 dhcp server service
    set interface ethernet0/0 dhcp server enable
    set interface ethernet0/0 dhcp server option lease 1440
    set interface ethernet0/0 dhcp server option gateway 10.2.1.254
    set interface ethernet0/0 dhcp server option netmask 255.255.0.0
    set interface ethernet0/0 dhcp server option dns1 61.177.7.1
    set interface ethernet0/0 dhcp server ip 10.2.1.1 to 10.2.1.100
    set interface ethernet0/0 dhcp server config next-server-ip ip 0.0.0.0
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 61.177.7.1 src-interface ethernet0/2
    set dns host dns2 0.0.0.0
    set dns host dns3 0.0.0.0
    set address “Trust” “10.3.1.254/16” 10.3.1.254 255.255.0.0
    set address “DMZ” “192.168.1.254/16” 192.168.1.254 255.255.0.0
    set ippool “vpn103” 10.3.255.1 10.3.255.254
    set user “test” uid 4
    set user “test” type l2tp
    set user “test” remote ippool "vpn103"
    set user “test” remote dns1 "61.177.7.1"
    set user “test” password "yqi49GGTNNuwmRs2psCmS46pQFn5L9jdwg=="
    unset user “test” type auth
    set user “test” "enable"
    set crypto-policy
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    set l2tp default dns1 61.177.7.1
    set l2tp default ippool "vpn103"
    set l2tp “tun103” id 3 outgoing-interface ethernet0/2 keepalive 60
    set l2tp “tun103” remote-setting ippool “vpn103” dns1 61.177.7.1
    set l2tp “tun103” auth server "adldap"
    set l2tp “testtule” id 4 outgoing-interface ethernet0/2 keepalive 60
    set url protocol websense
    exit
    set anti-spam profile ns-profile
    set sbl default-server enable
    exit
    set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “ANY” permit
    set policy id 1
    exit
    set policy id 2 name “trust-go-dmz” from “Trust” to “DMZ”  “Any” “Any” “ANY” permit
    set policy id 2
    exit
    set policy id 3 name “dmz-to-unturst-temp” from “DMZ” to “Untrust”  “Any” “Any” “ANY” nat src permit
    set policy id 3
    exit
    set policy id 6 name “102to103” from “Trust” to “Trust”  “Any” “Any” “ANY” permit
    set policy id 6
    exit
    set policy id 7 name “vpn” from “Untrust” to “Trust”  “Dial-Up VPN” “10.3.1.254/16” “ANY” nat src tunnel l2tp "testtule"
    set policy id 7
    exit
    set syslog src-interface ethernet0/0
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    unset license-key auto-update
    set telnet client enable
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 interface ethernet0/2 gateway 58.210..
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    everything seems ok, but after the client connected through the vpn ,
    the client address is ok, dns is ok  but the gateway is 0.0.0.0,
    so the client cannot access the other zones even the policy permits such connection.

    How to fix it?

    thankyou very much!


 

42
Online

38.5k
Users

12.7k
Topics

44.5k
Posts