Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Dial-Up VPN (Policy-based) & Route-based Hub & Spoke

Status
Not open for further replies.
pipkins

pipkins

IS-IT--Management
Jul 16, 2003
10
0
0
GB
Hello,

I currently have a Dial-Up VPN Client using NetScreen Remote 8.3 utilising XAuth and it is configured using policy-based VPN's. This works fine in terms of connecting to the network. The VPN connection is bi-directional and the client is assigned an internal private IP address.

However, the internal network is a route-based, hub and spoke configuration. The VPN Client can connect to any systems in the directly connected hub-site, but not in any of the spoke sites.

I have tried creating policies between the Untrusted Zone, which the VPN Client connects to and the zone with all the VPN tunnels liking to the spoke sites, but to no avail.

Can anyone confirm whether they have this type of configuration working ? and if so how ?
 
Sort by date Sort by votes
Hey,

I am no pro, but this could be a few things to check:

- Make sure the remote site subnet is permitted in the VPN policy
- Check to make sure the NAT pool assigned to the dial-up clients has a return route back to the entry Netscreen

Let me know what you think. I can bounce this off a few people I know as well. Hope this is helpful.



Rgds,

John
 
Upvote 0 Downvote
Thanks for the reply.

At the Hub site I have two zones, Trust and VPN, where VPN contains all the tunnels to the spoke sites.

In 'Policies' I have created a policy enabling 'Dial-Up VPN' in the Untrusted Zone to 'Any' in the 'Trusted' Zone.

I then create a second policy from 'Dial-Up VPN' to 'Any' in the VPN Zone.

I then create a VPN tunnel from the client, I can connect to either the HUB or the SPOKE sites, but never both. I have to alternate between removing one of the above policies.

 
Upvote 0 Downvote
Errmm,

with regards to the above, I am not sure how you have configured the remote client but remember unless you are encrypting everything through the tunnel using a virtual adapter and having selected use gateway on remote lan on this adapter you will need to declare the remote nets you are trying to get to otherwise the remote client will not encapsulate the data for the remote subnets.

Once you are in the trust-vr the traffic should route through o.k. but you need to get the traffic going to the one of the netscreens and then through to wherever.

So if you have only 1 connection defined under in nsremote (e.g. to 192.168.1.x/24) then you need to copy the policies and replace the destination net with the required destination networks.

Any questions lemme know.

Kind regards

Njetscreamer
 
Upvote 0 Downvote
Thanks.

I currently route all traffic via NetScreen Remote using the mask 0.0.0.0/0.0.0.0.

I am able to ping the hub site and any spoke sites that are connected to the hub via a policy-based VPN.

However, I am not able to ping any sites that are connected to the hub via a route-based VPN.

Policies are configured that should enable the traffic.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
237
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
106
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
292
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
80
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
85
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top