Netscreen VPN help needed

I have a working policy based lan-to-lan tunnel configured on two Netscreens.

I also have another zone called 'dmz' on one of the Netscreens, and hosts in that zone are unable to access the lan-to-lan tunnel.

In zone dmz, there is no policy for the vpn or a route to the destination, so traffic ends up being sent to the default gateway instead of the tunnel.

When I tried adding a policy to zone 'dmz' for the vpn traffic screenos said it could not because the IKE ID was already in use. I also tried to route the traffic to the trust interface and that didn't work either.

Can anyone assist and tell me how to configure this so that the other zone can access the tunnel?

Thanks in Advance.

-RLR

Reply to
rick
Loading thread data ...

Pick one of::

  1. Use a route-based tunnel
  2. Update your firmware, that sounds like version 3
  3. Create a second set of P1 and P2 definintions for the DMZ tunnel on both sides and treat it as a separate tunnel, use local and remote ID's to differentiate them.

#1 makes the most sense by far.

Note that your existing policy-based tunnel probably won't pass traffic bearing DMZ network addresses anyway because the proxy ID's gleaned from the policies don't include those addresses.

-Russ.

Reply to
Somebody.

formatting link
go to
formatting link
for example lan-to-lan vpn or vpn dmz

Robert

Reply to
Robert

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.