Screen OS

 View Only
last person joined: one year ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  netscreen remote with source based routing

    Posted 02-24-2009 19:07
      |   view attached

    I wan to configure netscreen remote vpn client with source based routing ssg-320 on the HO site. The netscreen remote is able to connect to the HO while authenticating from the firewal/IAS, but is unable to access any resources in the HO. The refernce documents i used were

    http://kb.juniper.net/kb/documents/public/ApplicationNotes/Technical/ScreenOS%204.0.0/dialupvpn_xauth_ias.htm

    and

     

     http://www.corelan.be:8800/index.php/2009/01/22/juniper-netscreen-remote-dial-up-vpn-with-ad-radius-authentication-and-route-based-vpn-tunnel-interface/

     

    The configuration on HO ssg-320 is also attached.

     

    can any one have a clue

     

     

     


    #HO-not-working

    Attachment(s)

    txt
    HO-not-working.txt   93 KB 1 version


  • 2.  RE: netscreen remote with source based routing
    Best Answer

    Posted 02-24-2009 23:49

    you are requiring your users to authenticate again when they are connected to VPN

     

    set policy id 36 from "Remote Dial In Zone" to "Trust"  "10.90.1.0/24" "local-lan" "ANY" permit auth server "Local" user-group "teo-intl" log
    set policy id 36
    set log session-init

    Can you disable  this requirement and see if that helps ?

     

    Also, do you see anything usefull in a debug flow basic ?

     



  • 3.  RE: netscreen remote with source based routing

    Posted 02-25-2009 06:54

     

     

    The part of the config you are refering to is working as i am able to authenticate through the firewall/IAS server and can see a yellow key above the blue icon of netscreen remote



  • 4.  RE: netscreen remote with source based routing

    Posted 02-25-2009 06:58

    I'm not sure - because the policy has nothing to do with the VPN

    You are using route based VPN, so the policy only allows or stops traffic inside the tunnel

     

    users can authenticate, which is because the dial up vpn is configured correctly

     

    but I'm pretty sure the policy is stopping users from connecting to internal resources

     

    can you disable the auth part in the policy and see if it works then ?

     



  • 5.  RE: netscreen remote with source based routing

    Posted 02-25-2009 07:11

     

     

    Ok i will disable authentication on the policy and then see the result. Will get back to you by tomorrow. Also i can't see much in debug flow basic command.



  • 6.  RE: netscreen remote with source based routing

    Posted 02-26-2009 16:55
    Thanks for the support. The issue got resolved by modifing the policy and disabling authentication on the policy.