How can apply the Dial-Up VPN NSR on Hub-and-Spoke VPN topology



  • Diagram :

    Dial-Up VPN (Dynamic IP)
         |
    [NSR VPN]
         |
    Netscreen 5GT (Static Internet IP)
         |
    [Site-to-Site VPN]
         |
    Netscreen 25 (Static Internet IP)
         |
    Office LAN (192.168.100.0/24)

    How can I connect from NSR client to remote office LAN?



  • Hi!

    Thanks for getting back with some positive experience from one of my posts. As most of you “techies” I’m used to the sound of silence when things work, and screams/shouting/profanity when it doesn’t…. 😉

    regards,
    oldO



  • oldo….I love You !!!

    Been trying to figure out a way to do IP restictions for dial-up VPN your post help me do exactly as I wanted.

    I had to change from policy base to route base and make new zone and for different users, assign them different IP pools and use that in the  policy to give and take access from different people

    this forum is great.



  • Hi!

    One nice thing with route based vpn’s is that you are not limited to the network/subnet specified in the proxy ID. What you need is routing that works, and in most cases some sort of policy.

    Now you have one tunnel between your 5GT and the NS25. The 5GT also has VPN configured for Netscreen Remote clients on the 5GT. In my example below I have put all tunnel interfaces in a separate zone (TunnelZone). This gives you the ability to allow and deny specific traffic.

    Dial-UP VPN, Dynamic IP.
      |
      | <– Local Proxy ID for the Dial-UP VPN is set to: 0.0.0.0/0, Remote is set to: 255.255.255.255/32 on the 5GT.
      |
    Netscreen 5GT
    Interface: Untrust, IP: 10.1.1.1/24 - Zone: Untrust
    Interface: Trust, IP: 192.168.50.1/24 - Zone: Trust
    Interface: tunnel.1, IP: unnumbered - Zone: Tunnelzone (This interface is for Dial-UP VPN)
    Interface: tunnel.2, IP: unnumbered - Zone: TunnelZone (This interface is for the 5GT <> NS25 VPN)
    Dial-UP-VPN-IP-pool: 192.168.10.1-253/24
      |
      |<-- Local Proxy ID for the Dial-UP VPN is set to: 192.168.50.0/24, Remote is set to: 192.168.100.0/24 on the 5GT.
      |<-- Local Proxy ID for the Dial-UP VPN is set to: 192.168.100.0/24, Remote is set to: 192.168.50.0/24 on the NS25.
      |
    Netsceen 25
    Interface: Untrust, IP: 10.2.2.2/24 - Zone: Untrust
    Interface: Trust, IP: 192.168.100.1/24 - Zone: Trust
    Interface: tunnel.1, IP: unnumbered - Zone: TunnelZone (This interface is for the 5GT <> NS25 VPN)

    Now… what you need to get this working is as I mentioned earlier: get your routing set up properly. The NS 5GT must know where to route the Dial-UP-VPN-IP-pool subnet, (in this case: tunnel.1). On the 5GT you also need to route traffic bound for the 192.168.100.0/24 subnet, (tunnel.2).

    When it comes to the NS25 it has to route both 192.168.50.0/24 and 192.168.10.0/24 to the interface tunnel.1

    Also remember you’ll need policies since the tunnel interfaces are in seperate zones!

    Hope this helps.

    /oldO



  • Hi oldo,

    Thx for your reference link.  But I don’t understand how to apply on my situation that one side is a Dial-Up VPN client.  Would you pleased explained more detail?

    Regards,
    wkwong



  • The best way to go about this is using route based VPN. There has been several posts on this forum on this subject, I’d advice you to siff through the posts here. If you want more details and example configurations read the Concepts and Examples for your version of ScreenOS.

    http://www.juniper.net/techpubs/software/screenos/

    /oldO


 

28
Online

38.4k
Users

12.7k
Topics

44.5k
Posts