|
Home > Archive > VPN > June 2005 > Static route through Netscreen Remote: can it be done?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Static route through Netscreen Remote: can it be done?
|
|
| Mark Alexander Bertenshaw 2005-06-05, 8:45 pm |
| Hi -
My network is acessible by via a VPN tunnel via Netscreen Remote 8.3 to a
Netscreen 5GT. The trust interface is 192.168.0.1. Connections to
192.168.0.0/24 hosts from my users' remote PCs work fine. However, we have
a 10.0.0.0/24 network whose gateway is at 192.168.0.2. Unfortunately, there
seems to be no way to tell Windows 2000 to route packets to 10.0.0.0/24 via
192.168.0.1, because the "deterministic network enhancer" which is used by
the Netscreen Remote software is under the radar of basic Windows 2000
TCP/IP. That is, "route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.2 METRIC
1 IF 0x2" does not work, because not unreasonably, there is no official
route to the 192.168.0.0/24 subnet.
Does anybody know whether it is possible to hack this so 10.0.0.0/24 packets
are sent down the invisible VPN interface? Looking at the Netscreen Remote
software, there doesn't appear to be any way to add this, short of creating
a completely separate tunnel for this interface (I imagine that I would have
to bind a 10.0.0.x address to a new VPN gateway, somehow).
Any ideas?
--
Mark Bertenshaw
Kingston upon Thames
UK
| |
| Mike Drechsler - SPAM PROTECTED EMAIL 2005-06-05, 8:45 pm |
| Mark Alexander Bertenshaw wrote:
> Hi -
>
> My network is acessible by via a VPN tunnel via Netscreen Remote 8.3 to a
> Netscreen 5GT. The trust interface is 192.168.0.1. Connections to
> 192.168.0.0/24 hosts from my users' remote PCs work fine. However, we have
> a 10.0.0.0/24 network whose gateway is at 192.168.0.2. Unfortunately, there
> seems to be no way to tell Windows 2000 to route packets to 10.0.0.0/24 via
> 192.168.0.1, because the "deterministic network enhancer" which is used by
> the Netscreen Remote software is under the radar of basic Windows 2000
> TCP/IP. That is, "route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.2 METRIC
> 1 IF 0x2" does not work, because not unreasonably, there is no official
> route to the 192.168.0.0/24 subnet.
>
> Does anybody know whether it is possible to hack this so 10.0.0.0/24 packets
> are sent down the invisible VPN interface? Looking at the Netscreen Remote
> software, there doesn't appear to be any way to add this, short of creating
> a completely separate tunnel for this interface (I imagine that I would have
> to bind a 10.0.0.x address to a new VPN gateway, somehow).
>
> Any ideas?
>
> --
> Mark Bertenshaw
> Kingston upon Thames
> UK
You need to add another subnet to the existing tunnel or if your user
interface only allows a single local and a single remote subnet when
defining a tunnel then you will need to create a second tunnel to the
same endpoint.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
| |
| Mark Alexander Bertenshaw 2005-06-06, 7:51 am |
|
"Mike Drechsler - SPAM PROTECTED EMAIL"
<mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote in message
news:j8Ooe.52177$W62.10516@fe10.news.easynews.com...
> Mark Alexander Bertenshaw wrote:
a[vbcol=seagreen]
have[vbcol=seagreen]
there[vbcol=seagreen]
via[vbcol=seagreen]
by[vbcol=seagreen]
METRIC[vbcol=seagreen]
packets[vbcol=seagreen]
Remote[vbcol=seagreen]
creating[vbcol=seagreen]
have[vbcol=seagreen]
>
> You need to add another subnet to the existing tunnel or if your user
> interface only allows a single local and a single remote subnet when
> defining a tunnel then you will need to create a second tunnel to the
> same endpoint.
That's what I thought. All rather annoying.
--
Mark
| |
| Sintec 2005-06-09, 5:47 pm |
| NetScreen remote / 5GT will allow you to create a second connection.
Open NS Remote > right click your current "green lock" > copy > paste
now change the subnet to 10.0.0.0/24 rather than 192.x
Open the NetScreen firewall > policies > create a second dialup vpn
policy matching the proxy id for the 10.0.0.0/24 network
this is very simple, you will not have to create a 2nd vpn tunnel.
regards
Dave Sinclair
www.sintecuk.co.uk
NetScreen/Juniper Certified Trainer
| |
| Mark Alexander Bertenshaw 2005-06-14, 5:47 pm |
| > NetScreen remote / 5GT will allow you to create a second connection.
>
> Open NS Remote > right click your current "green lock" > copy > paste
> now change the subnet to 10.0.0.0/24 rather than 192.x
>
>
> Open the NetScreen firewall > policies > create a second dialup vpn
> policy matching the proxy id for the 10.0.0.0/24 network
>
>
> this is very simple, you will not have to create a 2nd vpn tunnel.
>
Dave -
Thanks very much! It now works absolutely fine.
--
Mark Bertenshaw
Kingston upon Thames
UK
|
|
|
|
|