Static route through Netscreen Remote: can it be done?

Static route through Netscreen Remote: can it be done?

NewsGroups | Search | Tools
 comp.dcom.vpn  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Static route through Netscreen Remote: can it be done? Mark Alexander Bertenshaw 06-06-2005
Posted by Mark Alexander Bertenshaw on June 6, 2005, 12:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options


Hi -

My network is acessible by via a VPN tunnel via Netscreen Remote 8.3 to a
Netscreen 5GT. The trust interface is 192.168.0.1. Connections to
192.168.0.0/24 hosts from my users' remote PCs work fine. However, we have
a 10.0.0.0/24 network whose gateway is at 192.168.0.2. Unfortunately, there
seems to be no way to tell Windows 2000 to route packets to 10.0.0.0/24 via
192.168.0.1, because the "deterministic network enhancer" which is used by
the Netscreen Remote software is under the radar of basic Windows 2000
TCP/IP. That is, "route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.2 METRIC
1 IF 0x2" does not work, because not unreasonably, there is no official
route to the 192.168.0.0/24 subnet.

Does anybody know whether it is possible to hack this so 10.0.0.0/24 packets
are sent down the invisible VPN interface? Looking at the Netscreen Remote
software, there doesn't appear to be any way to add this, short of creating
a completely separate tunnel for this interface (I imagine that I would have
to bind a 10.0.0.x address to a new VPN gateway, somehow).

Any ideas?

--
Mark Bertenshaw
Kingston upon Thames
UK




Pure Networks
Posted by Mike Drechsler - SPAM PROTECTE on June 6, 2005, 2:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options


Mark Alexander Bertenshaw wrote:
> Hi -
>
> My network is acessible by via a VPN tunnel via Netscreen Remote 8.3 to a
> Netscreen 5GT. The trust interface is 192.168.0.1. Connections to
> 192.168.0.0/24 hosts from my users' remote PCs work fine. However, we have
> a 10.0.0.0/24 network whose gateway is at 192.168.0.2. Unfortunately, there
> seems to be no way to tell Windows 2000 to route packets to 10.0.0.0/24 via
> 192.168.0.1, because the "deterministic network enhancer" which is used by
> the Netscreen Remote software is under the radar of basic Windows 2000
> TCP/IP. That is, "route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.2 METRIC
> 1 IF 0x2" does not work, because not unreasonably, there is no official
> route to the 192.168.0.0/24 subnet.
>
> Does anybody know whether it is possible to hack this so 10.0.0.0/24 packets
> are sent down the invisible VPN interface? Looking at the Netscreen Remote
> software, there doesn't appear to be any way to add this, short of creating
> a completely separate tunnel for this interface (I imagine that I would have
> to bind a 10.0.0.x address to a new VPN gateway, somehow).
>
> Any ideas?
>
> --
> Mark Bertenshaw
> Kingston upon Thames
> UK

You need to add another subnet to the existing tunnel or if your user
interface only allows a single local and a single remote subnet when
defining a tunnel then you will need to create a second tunnel to the
same endpoint.


--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)


Posted by Mark Alexander Bertenshaw on June 6, 2005, 10:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options



"Mike Drechsler - SPAM PROTECTED EMAIL"
> Mark Alexander Bertenshaw wrote:
> > Hi -
> >
> > My network is acessible by via a VPN tunnel via Netscreen Remote 8.3 to
a
> > Netscreen 5GT. The trust interface is 192.168.0.1. Connections to
> > 192.168.0.0/24 hosts from my users' remote PCs work fine. However, we
have
> > a 10.0.0.0/24 network whose gateway is at 192.168.0.2. Unfortunately,
there
> > seems to be no way to tell Windows 2000 to route packets to 10.0.0.0/24
via
> > 192.168.0.1, because the "deterministic network enhancer" which is used
by
> > the Netscreen Remote software is under the radar of basic Windows 2000
> > TCP/IP. That is, "route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.2
METRIC
> > 1 IF 0x2" does not work, because not unreasonably, there is no official
> > route to the 192.168.0.0/24 subnet.
> >
> > Does anybody know whether it is possible to hack this so 10.0.0.0/24
packets
> > are sent down the invisible VPN interface? Looking at the Netscreen
Remote
> > software, there doesn't appear to be any way to add this, short of
creating
> > a completely separate tunnel for this interface (I imagine that I would
have
> > to bind a 10.0.0.x address to a new VPN gateway, somehow).
> >
> > Any ideas?
> >
> > --
> > Mark Bertenshaw
> > Kingston upon Thames
> > UK
>
> You need to add another subnet to the existing tunnel or if your user
> interface only allows a single local and a single remote subnet when
> defining a tunnel then you will need to create a second tunnel to the
> same endpoint.

That's what I thought. All rather annoying.

--
Mark




Posted by Sintec on June 9, 2005, 11:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options


NetScreen remote / 5GT will allow you to create a second connection.

Open NS Remote > right click your current "green lock" > copy > paste
now change the subnet to 10.0.0.0/24 rather than 192.x


Open the NetScreen firewall > policies > create a second dialup vpn
policy matching the proxy id for the 10.0.0.0/24 network


this is very simple, you will not have to create a 2nd vpn tunnel.


regards

Dave Sinclair
www.sintecuk.co.uk
NetScreen/Juniper Certified Trainer



Posted by Mark Alexander Bertenshaw on June 14, 2005, 11:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


> NetScreen remote / 5GT will allow you to create a second connection.
>
> Open NS Remote > right click your current "green lock" > copy > paste
> now change the subnet to 10.0.0.0/24 rather than 192.x
>
>
> Open the NetScreen firewall > policies > create a second dialup vpn
> policy matching the proxy id for the 10.0.0.0/24 network
>
>
> this is very simple, you will not have to create a 2nd vpn tunnel.
>

Dave -

Thanks very much! It now works absolutely fine.

--
Mark Bertenshaw
Kingston upon Thames
UK




Similar ThreadsPosted
In need of Netscreen Remote VPN client software February 28, 2005, 4:33 pm
Netscreen(5GT) VPN access for remote Microsoft XP/2000 users May 10, 2005, 12:20 pm
POPTOP + no route problem July 13, 2005, 2:30 pm
Route all traffic through Cisco VPN October 13, 2005, 6:25 pm
Route all traffic through Netgear FVS318v3 VPN September 28, 2005, 5:38 pm
VPN connection failes, but route can't be added November 24, 2005, 5:24 am
DFL-200 ROUTER-TO-ROUTE file share issues October 4, 2006, 3:59 pm
VPN Client hiding Static IP? November 14, 2005, 2:29 pm
Static ip important for security? February 7, 2008, 4:16 pm
two Netgear FVS328 VPN routers with static and dynamic IP February 12, 2005, 12:15 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map