Bi-directional L2TP: is it possible?
I have a lab installation which looks like
PC1 - router1 - netscreen - PC2
I initiate the l2tp tunnel from PC1 to netscreen, it gets ip adress, and everything works fine. I can ping PC2 and ssh to it through the tunnel.
But PC2 wont ping PC1 when the tunnel is up, even after adding bidirectional policy:
NS-> get pol
Total regular policies 2, Default deny.
ID From To Src-address Dst-address Service Action State ASTLCB
3 Untrust Trust Any Dial-Up VPN ANY Tunnel enabled –-X-X
1 Trust Untrust Dial-Up VPN Any ANY Tunnel enabled —X-X
Do you think it is possible to make l2tp tunnel bidirectional in this sense? From the docs and KB it is not even clear that l2tp tunnel can be bidirectional, so even just answer yes or no will make me happy
Most webcams use H.323. If you turn on the ALG stuff in your netscreen, it should work just fine while still allowing your users to sit behind the firewall. In fact, there is a fairly good selection of protocols that that ALG stuff supports now, and chances are your applications will be in there, unless it’s some weird home-grown app.
As far as bidirectional L2TP. I cannot see a reason this wouldn’t work. However, I don’t have it set up to test on right now. Doesn’t anyone on this board have an L2TP vpn set up that they can test on??
Some applications require this - like webcam and some more. In fact, it’s not my network, Im just a guy to make it working. I know that simple dialup ipsec vpn can be bidirectional, so why not with l2tp?
Why do you need to allow incoming connections for your users? IMO, this is a security risk, as when they are connected via L2TP they are no longer protected by the firewall. So you’ve got a bunch of machines (presumably windows) which sit out on the net unprotected, and then reside on your internal network. This is trouble just waiting to happen, you might as well just remove the firewall.
Is there a particular protocol or application that you are having trouble with?
DIP could be ok, but as I understand, its impossible to allow incoming sessions to a DIP, i.e.
when LAN PC goes to the inet and gets an ip from pool (say, PAT is disabled), can I allow incoming connections? I think no, am I right?
As for MIPs, it seems rather painful to configure them all, and change config every time we want to connect a new user or delete old one. We have users in different subnets, so tricks like address shifting will not help.
As for L2TP, is what I described at least possible, or sessions can never be initiated to the address in the ip pool? Do you think its a silly idea to use L2TP in this way? (btw, we want it working for ~200 users and use NS-204)
If you want to have the machines to have a public IP when they go to the net, why not use a DIP pool or a MIP instead of forcing the users to VPN to the NetScreen?
No, that’s okay: PC1 is in Trust zone, PC2 is in Untrust. The idea is to provide some users with real IP addresses when they go to the internet.
So in my small network PC1 represents a LAN host, PC2 is an inet server. But I would like to allow incoming connections to PC1 from PC2.
Any more ideas?
Isn’t the “Dialup VPN” object the IP pool for your VPN users? In this case, your Untrust->Trust policy should have Dialup VPN as the source, and vice versa for the Trust->Untrust policy.
Sorry, Im not sure what IPs are you talking about… Because PC1 pings PC2, it sems to me that IPs and ip routes are okay…
Please tell what you think.
It appears you have your source and destination IP’s reversed. Try switching them around.