netscreen vpn tunnel

Am Tue, 08 Jan 2008 15:31:48 +0100 schrieb Christian Rehberger:

Hi

we use some of these too

it depends on the setup you use (policy based or route based). try the following first: get access to the console (not the web frontend), type: 'set ffilter dst-ip x.x.x.x'

'clear db'

Are you sourcing the ping, e.g. ping x.x.x.x FROM TRUST (or appropriate interface)

alan

Hi,

first I've forgotten to mention, that I'm using a HA solution with two netscreen boxes.

it's a route based setup.

I already did this, but I cannot understand the problem :-( May I send the debugging output to the list?

Chris

If you watch on the target server of the PING with tcpdump, does the ICMP echo requests arrive and with which src IP?

matthias

Ok, I see the request on the target server. But the address is not the IP of the trust interface but the IP of the untrust interface of my netscreen box. Now it's clear why the ping do not work.

But whats wrong with the setup that the untrust interface is used instead of the trust interface?

Chris

Am Wed, 09 Jan 2008 14:17:26 +0100 schrieb Christian Rehberger:

Sound like a general nat (DIP) rule in you policy, so no rule matches for vpn and I bet there is one from trust to untrust and these make the NAT, am I right?. If you want you can also mail the debug output to my emailadress you can see here. (it's a real one)

cheers

Hi,

It seems I found the problem! It was in setting up the tunnel interfaces. I used the Untrust interface in the following comand:

set interface tunnel.1 ip unnumbered interface ethernet0/8

Thanx all

Chris