Can't change policy action to TUNNEL



  • On a netscreen 5XP with SW 5.0.0r10

    Trying to set the policies to/from my remote network to TUNNEL, but every time I get this error message:

    peer fireman-gw (my remote gateway) have vpn with tunnel interface binding
    vpn invalid or not exist

    Any ideas?

    Config:
    set clock ntp
    set clock timezone -5
    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set service “msrdp” protocol tcp src-port 3389-3389 dst-port 3389-3389
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set admin name "admin"
    set admin password ""
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “untrust” zone "Untrust"
    set interface “tunnel.1” zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 192.168.1.1/24
    set interface trust nat
    set interface untrust ip 71.247.245.88/32
    set interface untrust route
    set interface tunnel.1 ip unnumbered interface untrust
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface untrust manage ping
    set interface untrust manage ssh
    set interface untrust manage snmp
    set interface untrust manage ssl
    set interface untrust manage web
    set interface trust dhcp server service
    set interface trust dhcp server enable
    set interface trust dhcp server option gateway 192.168.1.1
    set interface trust dhcp server option netmask 255.255.255.0
    set interface trust dhcp server option dns1 68.237.161.12
    set interface trust dhcp server option dns2 71.242.0.12
    set interface trust dhcp server ip 192.168.1.100 to 192.168.1.150
    set flow tcp-mss 1392
    set flow all-tcp-mss 1304
    set hostname ns5xp
    set dns host dns1 68.237.161.12
    set dns host dns2 71.242.0.12
    set address “Trust” “192.168.1.0/25” 192.168.1.0 255.255.255.128
    set address “Trust” “office pc” 192.168.1.160 255.255.255.255
    set address “Untrust” “10.0.0.0/24” 10.0.0.0 255.255.255.0
    set ike p2-proposal “me” group5 esp 3des md5 second 3600
    set ike gateway “fireman-gw” address 151.205.126.114 Main outgoing-interface “untrust” preshare “qwqupjJdNAtfuts3ocCdO0CxCsnpwcGbQg==” proposal “pre-g2-3des-md5” “rsa-g2-3des-md5” "dsa-g2-3des-md5"
    set ike respond-bad-spi 1
    set vpn “fireman-vpn” gateway “fireman-gw” replay tunnel idletime 0 proposal “g2-esp-3des-md5” "g2-esp-3des-sha"
    set vpn “fireman-vpn” monitor
    set vpn “fireman-vpn” id 3 bind interface tunnel.1
    set vpn-group id 1
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set policy id 3 from “Untrust” to “Trust” “10.0.0.0/24” “Any” “ANY” permit
    set policy id 2 from “Trust” to “Untrust” “Any” “10.0.0.0/24” “ANY” permit
    set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
    set pppoe name "untrust"
    set pppoe name “untrust” username “bizq6424” password ""
    set pppoe name “untrust” interface untrust
    set ssh version v2
    set ssh enable
    set config lock timeout 5
    set ntp server "ntp0.cornell.edu"
    set ntp server backup1 "sundial.columbia.edu"
    set ntp server backup2 "0.0.0.0"
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 10.0.0.0/24 vrouter "untrust-vr"
    exit


  • administrators

    You have the vpn bound to a tunnel interface, which means you have set up a route based vpn. By trying to change the policy to tunnel, you are trying to tell it that this is a policy based vpn. You either need to remove the binding to the tunnel interface, or leave that in place and then just make a normal permit policy.


 

44
Online

38.4k
Users

12.7k
Topics

44.5k
Posts