|
Home > Archive > VPN > April 2006 > Access to IPSec VPN through Netscreen-10 fw
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Access to IPSec VPN through Netscreen-10 fw
|
|
| srp336@getcoactive.com 2006-03-31, 12:11 am |
| I've got a situation where about 3 or 4 users will need to access an
IPSec VPN. They're all coming from a LAN which is behind a Netscreen-10
firewall which is using NAT. The device they're trying to connect to is
a Netgear FVL328. I don't think NAT-T is available on the Netgear box,
unless there's a new firmware out that I'm not aware of which supports
it (which could very well be...)
I thought about setting up a LAN-to-LAN vpn, but it looks like that
idea might be hard to sell to the remote side. I don't know if they'd
be open to replacing their VPN device with something NAT-T compatible.
Is there anything on the Netscreen-10 that can make this work? I'm kind
of new to this particular firewall.
Thanks!
| |
| Somebody. 2006-03-31, 12:11 am |
|
<srp336@getcoactive.com> wrote in message
news:1143574681.402995.161600@i39g2000cwa.googlegroups.com...
> I've got a situation where about 3 or 4 users will need to access an
> IPSec VPN. They're all coming from a LAN which is behind a Netscreen-10
> firewall which is using NAT. The device they're trying to connect to is
> a Netgear FVL328. I don't think NAT-T is available on the Netgear box,
> unless there's a new firmware out that I'm not aware of which supports
> it (which could very well be...)
>
> I thought about setting up a LAN-to-LAN vpn, but it looks like that
> idea might be hard to sell to the remote side. I don't know if they'd
> be open to replacing their VPN device with something NAT-T compatible.
>
> Is there anything on the Netscreen-10 that can make this work? I'm kind
> of new to this particular firewall.
>
> Thanks!
The NetScreen 10 is probably find nat'ing the ipsec packets, just make sure
it's the latest firmware for it which I believe is 3.03r8 or something like
that. Yes, it's an old box.
The NS10 is quite capable of doing a lan to lan vpn, I've still got clients
using pairs of those for corporate vpn concentrators, they're tough as nails
and very dependable.
-Russ.
| |
| srp336@getcoactive.com 2006-03-31, 12:11 am |
| Do any changes need to be made on the Netscreen, or should it just work
as-is?
Thanks!
| |
| Somebody. 2006-03-31, 12:12 am |
|
<srp336@getcoactive.com> wrote in message
news:1143673542.889487.287950@e56g2000cwe.googlegroups.com...
> Do any changes need to be made on the Netscreen, or should it just work
> as-is?
>
> Thanks!
It's been a long time since I worked on version 3 firmware. I have a vague
recollection of a setting like "ipsec-passthrough enable" or some such?
Have a look through the CLI reference for it.
-Russ.
| |
| srp336@getcoactive.com 2006-04-01, 12:29 pm |
| I see a line 'unset firewall bypass-others-ipsec' in the config, but I
can't seem to set it (the CLI doesn't seem to know what it is). Is this
a feature in ScreenOS that the Netscreen-10 doesn't support?
|
|
|
|
|