Getting a private IP on a Dial-UP VPN.



  • With the configuration below (following the tutorials) I ccan get the dialup-vpn to connect and work. However to the internal network I retain an external (real routable) address. I could someone tell me how I get the external client on a Dial-UP VPN to be allocated an internal IP address.

    Right now, most of the networks (MSServer/SMB) inside refuse to talk to the external PC connected via VPN.

    BTW this is a Netscreen 5GT 103, unrestricted.

    set clock ntp
    set clock timezone 1
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "admin"
    set admin password "XXXXXXXXXXXXXXXXXn"
    set admin mail alert

    set admin mail traffic-log
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    unset zone “VLAN” tcp-rst
    set zone “Trust” screen alarm-without-drop
    set zone “Trust” screen icmp-flood
    set zone “Trust” screen udp-flood
    set zone “Trust” screen winnuke
    set zone “Trust” screen port-scan
    set zone “Trust” screen ip-sweep
    set zone “Trust” screen tear-drop
    set zone “Trust” screen syn-flood
    set zone “Trust” screen ip-spoofing
    set zone “Trust” screen ping-death
    set zone “Trust” screen ip-filter-src
    set zone “Trust” screen land
    set zone “Trust” screen syn-frag
    set zone “Trust” screen tcp-no-flag
    set zone “Trust” screen unknown-protocol
    set zone “Trust” screen ip-bad-option
    set zone “Trust” screen ip-record-route
    set zone “Trust” screen ip-timestamp-opt
    set zone “Trust” screen ip-security-opt
    set zone “Trust” screen ip-loose-src-route
    set zone “Trust” screen ip-strict-src-route
    set zone “Trust” screen ip-stream-opt
    set zone “Trust” screen icmp-fragment
    set zone “Trust” screen icmp-large
    set zone “Trust” screen syn-fin
    set zone “Trust” screen fin-no-ack
    set zone “Trust” screen limit-session source-ip-based
    set zone “Trust” screen syn-ack-ack-proxy
    set zone “Trust” screen block-frag
    set zone “Trust” screen limit-session destination-ip-based
    set zone “Trust” screen icmp-id
    set zone “Trust” screen ip-spoofing drop-no-rpf-route
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “untrust” zone "Untrust"
    set interface “tunnel.1” zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 192.168.3.250/24
    set interface trust nat
    set interface untrust ip x.x.x.34/26
    set interface untrust route
    set interface tunnel.1 ip unnumbered interface untrust
    set interface untrust gateway x.x.x.1
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface trust manage mtrace
    set flow tcp-mss
    unset flow tcp-syn-check
    set hostname balenciaga-fw

    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 x.x.x.x
    set dns host dns2 x.x.x.x
    set user “enrique” uid 1
    set user “enrique” ike-id fqdn “enrique” share-limit 1
    set user “enrique” type  ike
    set user “enrique” "enable"
    set ike gateway “Enrique.1” dialup “enrique” Aggr outgoing-interface “untrust” p
    reshare “blah-blahXXXXXXXXXXXXX” proposal "pre-g2-des-md5"
    set ike gateway “Enrique.1” nat-traversal udp-checksum
    set ike gateway “Enrique.1” nat-traversal keepalive-frequency 5
    set ike respond-bad-spi 1
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vpn “Enrique.2” gateway “Enrique.1” replay tunnel idletime 0 proposal "g2-es
    p-des-md5"
    set vpn “Enrique.2” monitor
    set av profile "scan-mgr"
    set ftp scan-mode  scan-all
    set ftp decompress-layer  2
    set http scan-mode  scan-all
    set imap scan-mode  scan-all
    set imap decompress-layer  2
    set pop3 scan-mode  scan-all
    set pop3 decompress-layer  2
    set smtp scan-mode  scan-all
    set smtp decompress-layer  2
    exit
    set av scan-mgr max-content-size drop
    set av scan-mgr max-msgs drop
    set url protocol sc-cpa
    exit
    set anti-spam profile ns-profile
    set sbl default-server enable
    exit
    set vpn “Enrique.2” proxy-id local-ip 192.168.3.133/24 remote-ip 255.255.255.255
    /32 "ANY"
    set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “ANY” permit
    set policy id 1
    exit
    set policy id 3 name “Enrique.entra” from “Untrust” to “Trust”  “Dial-Up VPN” “A
    ny” “ANY” tunnel vpn “Enrique.2” id 1 log
    set policy id 3
    exit
    set global-pro policy-manager primary outgoing-interface untrust
    set global-pro policy-manager secondary outgoing-interface untrust
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    set ntp server "0.0.0.0"
    set ntp server backup1 "0.0.0.0"
    set ntp server backup2 "0.0.0.0"
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit



  • screenos 5.3r2+ and later support Radius framed pool as well so you could pass the ip pool name via radius attribute 88 or you can even manage the ip pool on the radius.



  • @MaxPipeline:

    Also you can specify an IP pool with xauth on the 5GT. The pool must be specified and cannot be on the same subnet as any of your interfaces.

    example:
    set ippool “xauthpool” 172.100.200.2 172.100.200.254
    set xauth default ippool “xauthpool”

    Or you can reference the pool in your xauth user configuration.

    If I can’t use an IP in the internal block then I have the same problem, the samba servers will not talk to the VPN client.

    Yes, I am using Netscreen Remote.



  • Are you using NetScreen Remote as the VPN client? If so then you should use the virtual adaptor (set as preferred or required).

    Also you can specify an IP pool with xauth on the 5GT. The pool must be specified and cannot be on the same subnet as any of your interfaces.

    example:
    set ippool “xauthpool” 172.100.200.2 172.100.200.254
    set xauth default ippool “xauthpool”

    Or you can reference the pool in your xauth user configuration.



  • xauth doesn´t allow you to specify any where to link an IP pool. I can do that in the IKE Gateway however…

    No matter what I do I still have an external IP address, and SMB and other protocols simply don´t work as I am in an external IP address even though I can ping and telnet into the network, and browse websites.

    Help… how on earth do I do this?



  • Sounds like you need to assign an address from a pool via xauth. Check KB8535.

    http://kb.juniper.net/KB8535

    There are examples on how to configure a Dialup VPN with xauth.



  • one more thing… if by anychange I am asking the wrong question, or in the wrong area, not explained throughly or it is covered in some newbie FAQ please let me know.

    I’m very much stuck right now.


 

31
Online

38.4k
Users

12.7k
Topics

44.5k
Posts