How do I direct ALL trafic from a NSR-client through the tunnel



  • Is there a way to direct all trafic from an NS-remote client through a VPN-tunnel to a NS25?

    The trafic from the client should always pass through the tunnel.

    It should not be possible for the client to access internet without going through the tunnel.

    /Leif



  • As I said… I wouldn’t bet my horse on getting it to work… As you stated your self, it doesn’t support proxy-arp. Why not just use a separate subnet? Easy enough?

    Yes, setting up a static IP on the VA should be no problem at all.

    good luck with your project!

    /oldO



  • It was to late in the evening.

    Of course you are absolutely right, basic network knowledge.  :oops:

    I also searched the KB and Netscreen doesn´t support proxy-arp.

    I was just so excited that I thought that I had found a solution. I forgot that NS 25 has all the information (when pinging from the NS25).

    Thanks pointing this out to me.

    So the solution to this will be to place the clients on an other subnet.
    But at least I can specify which IP-address each client (VA) shall have.

    Leif

    PS.
    Just to be absolutely sure that it doesn´t work I´ll try to get someone to attach a computer to my “test NS25” (which is approx 600 km from my NSR-client) and  try pingning me (NSR-client).



  • Well, yes when trying ping (source ping) on your firewall it works because your firewall has all the routing information. It knows:

    interface ethernet4 - Trust(trust-vr) 10.1.2.5/16

    and:

    route 10.1.2.96/28 gateway 0.0.0.0 interface: tunnel.1 (ip 10.1.2.101 on your VA)

    But… if lets say a host on on eth4 with the following IP: 10.1.2.30/16 needs to communicate with your NSR client 10.1.2.101. Because both IPs are in the same subnet your 10.1.2.30 host will broadcast for the mac address of 10.1.2.101. Now do you see what I’m getting at?

    That is why I doubt it works… but you might be right and the SSG/Netscreen really does reply to the broadcast…



  • I´m not shure I understand what you mean with your question. Maybe it´s to late for my brain to crasp.  😉

    Any way I´ve tested this:

    Ping from NSR-client to trust-LAN
    Ping from Trust-LAN to NSR-client done from within NS25 with source interface ethernet4 (trust-zone).

    Surfing from NSR-client through the tunnel.

    All this is OK!

    And if ping is ok then all IP-trafic should be OK, or?

    The part(subnet) is actually not a subnet it´s just a range of IP-adresses.
    That should make the NSR-client “equal” to a client on the trust-LAN, or?

    Each NSR-remote have an IP-address with the subnetmask 255.255.255.255.

    Gobble, gobble does this make sence? 😉
    As you´ve seen earlier in this post I certainly can get things the wrong way.



  • I’m a bit curious of one thing since you have a part (subnet) of your trust network on your tunnel interface.

    Does the Netscreen really proxy-arp the host on your tunnel interface? Why I ask is because you might want to communicate with other hosts on the actual trust interface, and since those host will have a 16 bit mask they will broadcast for an IP you have routed to your tunnel interface (NS remote client)…

    I doubt it does, but I might be wrong, wouldn’t be the first time 😉

    /oldO



  • So I´ve finished the test!  :roll: 🙂 Success!

    Following was configured.

    I followed the ak-articles
    http://kb.juniper.net/KB4396
    http://kb.juniper.net/KB4398
    http://kb.juniper.net/KB4397

    No ip-pool was configured
    I specified an ip-address to the xauth user instead of an ip-pool
    I also specified DNS-servers

    Brief configuration (only the intresting parts to “route” the trafic)

    interface tunnel.1 - Trust(trust-vr) unnumbered
    interface ethernet4 - Trust(trust-vr) 10.1.2.5/16
    interface ethernet3 - Untrust(trust-vr) z.z.z.z/m

    user xauth static-IP 10.1.2.101 DNS-server x.x.x.x DNS-server y.y.y.y

    route 10.1.2.96/28 gateway 0.0.0.0 interface: tunnel.1

    policies
    trust -> untrust
    10.1.2.96/28 any any (with NAT-src)

    The only thing to keep in mind is the addressing-scheme as you always have to do.

    I my case all trafic was allowed but i trafic should be regulate just add the appropriate policies.

    Has anyone a suggestion how to prevent the user from changing the network-configuration of the client computer? (I know this isn´t and netscreen issue - although an intresting security issue)

    Of course I´m assuming that the user doesn´t have administrator rights on the computer.



  • Sorry  😞 posted to fast.
    I just tried a “quick fix”  😉 in my config and it didn´t work and then I made some wrong assumptions.

    It was routebased as you said.

    I want each client to always have the same IP-address.

    As you mention there is a note stating.

    The DIP ipool must be in a different address space than that of the zone to which the XAuth user directs trafic to avoid routing problems and duplicate address assignments

    If you try to assign an ippool there is an error-message so with ippool it´s not possible.

    When reading about Xauth in the ScreenOS documentation there is an note that if you want the remote client to have the same IP-address you can specify it in the user configuration.

    An example.

    corporate LAN 10.1.0.0/16

    “dial up users” 10.1.2.0/29 (specified in user confiuration)

    Duplicate addresses - if specified in user configuration that should not be a problem, or?

    What kind of routing problems could occur?
    Assuming that there is policies that directs the trafic to 10.1.2.0/29 to go through the tunnel-interface.

    I´m going to test this config, following every step in the kb-articleexcept the way IPaddresses are assigned to remote clients. I´ll post my resluts of the test when and if I succed, but if anyone has knowledge about this please don´t hesitate to answer.



  • Hi!

    The KB article KB4398 is for route based VPN. In route based VPN you can set the proxy ID, and not have it automatically generated from your policy as in policy based VPN.

    Yes you can use xAuth in both policy and route based VPN and assign IP, WINS, DNS if you want.

    I’m not sure what you mean with the same IP on the VA? Same as what? You mean you want the same range of IPs assigned to the VA as you use in your LAN for corporate PCs? That can’t be done with Netscreens. You’ll need a separate IP-range.



  • “Back to the drawingboard again!”:-)

    I looked at the KB-article

    @oldo:

    I know that you are doing a route based config, take a look at the following:

    set vpn “p2_dialup” proxy-id local-ip 0.0.0.0/0 remote-ip 255.255.255.255/32 “ANY”

    The line above is obviously only a part of the ike/vpn configuration. But this would route all traffic through your firewall. Dont forget to allow and NAT traffic from the VPN IPpool when they try to reach the internet.

    regards
    oldO

    EDIT:
    I actually found a KB article on it as well if you want to see the config in Webui: http://kb.juniper.net/KB4398

    But thats for policybased VPN

    I want to have the same IP-address on the VA on NSR-client (10.1.2.101)
    It´s possible to use policybased VPN and assign each Xauth user his IP-address.

    But then I can´t reglate the trafic, cause its a policybased VPN.

    Is there a solution for this with routebased VPN?



  • The NSR policy can be locked so that users can’t tamper with it. This in combination with a NSR policy that routes everything through your tunnel would be the first steps.

    When it comes to windows settings, and how to lock it down in the proper manner I leave for someone else to answer.

    P.S. If you have full control over the clients maybe you could look in to locking down the clients with the XP firewall or any other firewall you have on the client computers.



  • That´s the solution to allow ALL the trafic in the tunnel.

    Is it possible and how to prevent the user to access Internet in any other way then through the tunnel.

    The user shouldn´t even have an option or possibility to regonfigure to get direct access to Internet.

    Assume forinstance that the user doesn´t have administrator rights on the client computer.

    What I want is to “lock” the configuration on the client computer.

    /Leif



  • I know that you are doing a route based config, take a look at the following:

    set vpn “p2_dialup” proxy-id local-ip 0.0.0.0/0 remote-ip 255.255.255.255/32 “ANY”

    The line above is obviously only a part of the ike/vpn configuration. But this would route all traffic through your firewall. Dont forget to allow and NAT traffic from the VPN IPpool when they try to reach the internet.

    regards
    oldO

    EDIT:
    I actually found a KB article on it as well if you want to see the config in Webui: http://kb.juniper.net/KB4398


 

26
Online

38.4k
Users

12.7k
Topics

44.5k
Posts