Multi Subnet VPN problems

[techracer74]

Greetings all. I have been working w/ PIX other misc firewalls for a while but this is my first more complicated setup on a Netscreen.

What I need to do is get a Site-Site VPN tunnel up, which is pretty easy, but... I need the tunnel to make use of 7 different subnets on the other side going to one ip on my side(long story). Any help is greatly appreciated.

Here is the relevant config info(yes, i like the cli):

set interface trust ip 192.168.101.5/24
set interface trust nat
set interface untrust ip 207.x.y.z/29
set interface untrust route

set address "Trust" "lan" 192.168.101.0 255.255.255.0
set address "Trust" "vpn" 10.96.103.68 255.255.255.255

set address "Untrust" "207.x.y.z/29" 207.x.y.z 255.255.255.248
set address "Untrust" "VPN1" 10.174.2.0 255.255.255.0
set address "Untrust" "VPN2" 10.174.58.0 255.255.255.0
set address "Untrust" "VPN3" 10.24.16.0 255.255.255.0
set address "Untrust" "VPN4" 10.96.31.0 255.255.255.0
set address "Untrust" "VPN5" 141.x.y.0 255.255.255.0
set address "Untrust" "VPN6" 141.a.b.0 255.255.255.0
set address "Untrust" "VPN7" 141.c.d.0 255.255.255.0

set ike gateway "VPN" address 162.x.y.z Main outgoing-interface "untrust" preshare "blah" sec-level standard
set ike gateway "VPN" nat-traversal
set ike gateway "VPN" nat-traversal udp-checksum
set ike gateway "VPN" nat-traversal keepalive-frequency 5

set vpn "tunnel1" id 11 gateway "VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "tunnel2" id 12 gateway "VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "tunnel3" id 13 gateway "VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "tunnel4" id 14 gateway "VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "tunnel5" id 15 gateway "VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "tunnel6" id 16 gateway "VPN" no-replay tunnel idletime 0 sec-level standard
set vpn "tunnel7" id 17 gateway "VPN" no-replay tunnel idletime 0 sec-level standard

Here is an exampl of the policies I'm trying to create for it:

set policy id 11 from untrust to trust VPN1 VPN any tunnel vpn "tunnel1" id 11 pair-policy 12
set policy id 12 from trust to untrust VPN VPN1 any tunnel vpn "tunnel1" id 11 pair-policy 11
set policy id 13 from untrust to trust VPN2 VPN any tunnel vpn "tunnel2" id 12 pair-policy 14
set policy id 14 from trust to untrust VPN VPN2 any tunnel vpn "tunnel2" id 12 pair-policy 13

When I try the above policies I get:

Can not create SA for VPN VPN1
Cannot create new sa


Any help is MUCH appreicated.


Bryan

 

[Packet7]

Hello,

You can define each subnet for the remote LAN(s) on your box. You will probably need to create a "Tunnel Interface" and assign a non-routable IP that doesn't conflict with your Remote LANs routing. You will also need an additional IP on the same subnet as the Tunnel Interface to use with SRC-NAT. You will want to create a numbered Tunnel and bind it to the Untrust-Tunnel zone. When setting up your VPN policy, make sure you define NAY w/ the DIP Pool you created (one IP should work). You will also need to add routes for each remote LAN (Remote LAN - Next Hop of Tunnel Interface). Oh, and make sure the VPN is bound to the Untrust-Tunnel Zone.

I use my company NSM (Netscreen Security Manager) for all our Firewalls. So I don't use the CLI that much. If anything, I hope this helps you narrow down your problem. I actually configured the same type of setup (minus 6 remote lans) and will be testing today with the client.

Cheers.

Rgds,

John

 

[techracer74]

Thanks for the help John, unfortuantely I can't get any other IP's from the 7 remote subnets. The 10.96.103.68 is all I've got to work with.

Would you happen to have any examples of this?


Bryan