1. Home
  2. Virtual Private Networks
  3. Static route through Netscreen Remote: can it be done?

Static route through Netscreen Remote: can it be done?

Hi -

My network is acessible by via a VPN tunnel via Netscreen Remote 8.3 to a Netscreen 5GT. The trust interface is 192.168.0.1. Connections to

192.168.0.0/24 hosts from my users' remote PCs work fine. However, we have a 10.0.0.0/24 network whose gateway is at 192.168.0.2. Unfortunately, there seems to be no way to tell Windows 2000 to route packets to 10.0.0.0/24 via 192.168.0.1, because the "deterministic network enhancer" which is used by the Netscreen Remote software is under the radar of basic Windows 2000 TCP/IP. That is, "route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.2 METRIC 1 IF 0x2" does not work, because not unreasonably, there is no official route to the 192.168.0.0/24 subnet.

Does anybody know whether it is possible to hack this so 10.0.0.0/24 packets are sent down the invisible VPN interface? Looking at the Netscreen Remote software, there doesn't appear to be any way to add this, short of creating a completely separate tunnel for this interface (I imagine that I would have to bind a 10.0.0.x address to a new VPN gateway, somehow).

Any ideas?

-- Mark Bertenshaw Kingston upon Thames UK

Reply to
Mark Alexander Bertenshaw
Loading thread data ...

You need to add another subnet to the existing tunnel or if your user interface only allows a single local and a single remote subnet when defining a tunnel then you will need to create a second tunnel to the same endpoint.

Reply to
Mike Drechsler - SPAM PROTECTE

That's what I thought. All rather annoying.

-- Mark

Reply to
Mark Alexander Bertenshaw

NetScreen remote / 5GT will allow you to create a second connection.

Open NS Remote > right click your current "green lock" > copy > paste now change the subnet to 10.0.0.0/24 rather than 192.x

Open the NetScreen firewall > policies > create a second dialup vpn policy matching the proxy id for the 10.0.0.0/24 network

this is very simple, you will not have to create a 2nd vpn tunnel.

regards

Dave Sinclair

formatting link
NetScreen/Juniper Certified Trainer

Reply to
Sintec

Dave -

Thanks very much! It now works absolutely fine.

-- Mark Bertenshaw Kingston upon Thames UK

Reply to
Mark Alexander Bertenshaw

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.