I have problem with route then i connecting by l2tp vpn to netscreen



  • have l2TP VPN “TestL2TP”

    BY user ANOVIKOV i get L2TP (i recieve IP-address 192.168.20.5) and i can ping 192.168.20.1, but i can’t see (i can’t ping) another worksation in this LAN.
    what’s wrong, help please!!!

    Config here:

    set user “ALebedev” "enable"
    set user “ANovikov” uid 1
    set user “ANovikov” type  l2tp
    set user “ANovikov” remote ippool "TestPool"
    set user “ANovikov” remote ipaddr "192.168.20.5"
    set user “ANovikov” remote dns1 "X.X.1.1"
    set user “ANovikov” remote dns2 "X.X.2.3"
    set user “ANovikov” password "xxxxxxxx"
    unset user “ANovikov” type auth
    set user “ANovikov” "enable"
    set ike respond-bad-spi 1
    set l2tp default dns1 X.X.1.1
    set l2tp default dns2 X.X.2.3
    set l2tp default ippool "TestPool"
    set l2tp “TestL2TP” id 1 outgoing-interface ethernet3 keepalive 60
    set l2tp “TestL2TP” remote-setting ippool "TestPool"
    set l2tp “TestL2TP” auth server “Local” user "ANovikov"
    set l2tp “L2TP-for-Internal” id 2 outgoing-interface ethernet3 keepalive 60
    set l2tp “L2TP-for-Internal” remote-setting ippool “Poolinternal” dns1 10.33.30.248
    set l2tp “L2TP-for-Internal” auth server “Local” user "ALebedev"
    set policy id 11 from “DMZ” to “Untrust”  “Any” “192.168.20.5/32” “ANY” permit log count
    set policy id 10 from “V1-Untrust” to “V1-DMZ”  “Any” “Any” “ANY” permit log count
    set policy id 9 from “DMZ” to “Untrust”  “Any” “192.168.20.6/24” “ANY” permit log count
    set policy id 8 from “DMZ” to “Untrust”  “192.168.20.4/32” “Any” “ANY” permit log count
    set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “ANY” permit log
    set policy id 2 from “Untrust” to “Trust”  “Any” “Any” “ANY” permit log
    set policy id 3 from “Untrust” to “DMZ”  “Any” “Any” “ANY” tunnel l2tp “TestL2TP” log
    set policy id 4 from “Trust” to “DMZ”  “Any” “Any” “ANY” permit log
    set policy id 5 from “DMZ” to “Trust”  “Any” “Any” “ANY” permit log
    set policy id 7 from “Trust” to “DMZ”  “Any” “Any” “ANY” permit log
    set policy id 12 from “DMZ” to “Untrust”  “Any” “Any” “ANY” tunnel l2tp “TestL2TP” log
    set policy id 16 from “Untrust” to “DMZ”  “Any” “MIP(X.X.X.2)” “ANY” permit
    set dns host dns1 X.X.1.1
    set dns host dns2 X.X.2.3
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set ssh version v2
    set config lock timeout 5
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route  X.X.X.2/29 interface ethernet1 gateway X.X.X.3
    set route  0.0.0.0/0 interface ethernet2 gateway X.X.X.1
    set route  0.0.0.0/0 interface ethernet1 gateway 192.168.20.1
    set route  10.33.31.0/24 interface ethernet1 gateway 10.33.30.250
    set route  10.33.32.0/24 interface ethernet1 gateway 10.33.30.250
    set route  192.168.2.0/24 interface ethernet1 gateway 10.33.30.250
    set route  192.168.6.0/24 interface ethernet1 gateway 10.33.30.250
    set route  192.168.10.0/24 interface ethernet1 gateway 10.33.30.250
    set route  192.168.20.0/24 interface tunnel.1
    exit

    195.68.164.179



  • yes, thank you i have get tunnel, and i did another subnet for vpn and i can ping my hosts 192.168.20.3, but this host is web-server is on ms sharepoint, and than i in explorer write http://192.168.20.3, after 50 sec exlorer show me error with page search/
      I think that is because the problem with dns, but i don’t about decision of this problem



  • Screenie

    I haven’t tried that before. But I think there will still be a problem with ARP resolution. Sure you can define a static route, but the hosts and the assigned IP are on the same subnet. Thus no static route would come into play. In a nutshell, the NetScreen would need to be able to resolve ARP for 192.168.20.5. So far as I know the NetScreen cannot do this for an address pool assignment. I know that the NetScreen can respond to ARP requests for VIPs and MIPs and such. But not for address pool.


  • Global Moderator

    Just  a small question on this toppic Max: If you configure ignore subnet conflict for the VR involved I would think you could define a subnet within the range on a interface for dial-up users and set a static route to it? Would that work you think?



  • Unfortunately the NetScreen cannot proxy ARP for dialup clients. Therefore you must have your dialup clients on a different subnet than your NetScreen. For instance, if your NetScreen has IP 192.168.20.1 then try assigning IP 192.168.21.5 for your client. This is assuming that your PCs on the 192.168.20.x network have default gateway pointing to 192.168.20.1. The only other option is to have your PC hosts on 192.168.20.x network have a static ARP entry for 192.168.20.5 pointing to the NetScreens MAC address.



  • what i must do if on workstation (192.168.20.3 and 192.168.20.2) have no arp about 192.168.20.5?



  • rom workstation, hwo connect by VPN  i can ping 192.168.20.1(it’s interface eth2 (ns208) - interface dmz),
    but if i ping 192.168.20.2 and 192.168.20.3  i have no answer.
    If i do arp -a / after ping 192.16.20.1 i have no any information/

    From ns-208 i do’t ping my vpn connection - 192.168.20.1, but i can ping 192.168.20.3 and 192.168.20.2.
    ns208-> ping 192.168.20.5
    Type escape sequence to abort

    Sending 5, 100-byte ICMP Echos to 192.168.20.5, timeout is 2 seconds
    ……
    Success Rate is 0 percent (0/5),

    IF i want show arp-table where i have no information about 192.168.20.5
    ns208-> get arp all
    usage: 7/4096  miss: 0
    always-on-dest: disabled
    –------------------------------------------------------------------------------
                IP          Mac          VR/Interface  State  Age  Retry  PakQue


    192.168.20.2  00025591f829        trust-vr/eth2    VLD  870      0      0

    192.168.20.3  00145e6b6a02        trust-vr/eth2    VLD  1033      0      0
    ----- 
    ns208->

    **  if i want set arp**
    ns208-> set  arp 192.168.20.5  005345000000 ethernet3 (untrust)
    ARP Warning: cannot find route for 192.168.20.5
    ns208-> set  arp 192.168.20.50  005345000000 ethernet2 (dmz into this zone i want to get vpn connection)
    but after that i have no ping too:
    ns208-> ping 192.168.20.5
    Type escape sequence to abort

    Sending 5, 100-byte ICMP Echos to 192.168.20.5, timeout is 2 seconds
    ……
    Success Rate is 0 percent (0/5),

    what i must do? to help you for understending  my trouble!



  • Sounds like your hosts on the 192.168.20.x network don’t have a route for your dialup clients or the ARP resolution for 192.168.20.5 is not resolving to your NetScreen MAC address. Check your other workstation ARP table and see if they have 192.168.20.5 in their ARP cache and that the MAC address is the NetScreen.


 

38
Online

38.4k
Users

12.7k
Topics

44.5k
Posts