Netscreen Remote VPN Client connectivity issues

You can, by defining individual host routes, as long as there are no duplicate addresses on both networks which you have to access. As more specific routes have precedence over the generous ones, you can modify the routing behaviour, and force some addresses to go local while others are remote. But I would not recommend that - very tricky and delicate.

And I can't remember about the NSR / SafeNet VPN client allowing for (virtual) network interfaces (which you would need for routing) or defining VPN rules on the client (which would be the alternate way). I know the NSR is keen to isolate you from you local network if you have the same IP addresses.

What I have at my small business clients, and which may be an alternative to you, is to have static IP addressing at the first point of connection to the outside world. So that is, the DSL service comes with several static IP addresses. This is pretty much necessary to have easy and effective management of the remove Netscreen client computers.

So then, I put an HP ProCurve switch directly after the DSL modem. Then I wired from the switch to the Netscreen Firewall and from there to the rest of the business infrastructure. Very standard. Then I ran a wire from the HP switch to where I work. This has a different external IP than the rest of the business. Now put a simple router at the end of that wire, and give it a different subnet than the business, and voila! you have an "inside the four walls" remote access to the business. It works a treat, is quite simple to implement, and provides a directly comparable service to users' home environment.

Now with respect to Vista, I am using a Vista 64-bit T61p laptop. At the point of going into business production with this machine 90 days ago, Juniper did not have a 64-bit client product. The Netscreen Remote is OEM'd from SoftRemote anyways, so I purchased a license to SoftRemote's 64-bit Safenet client. It works reasonably well but it is quite different from the XP Netscreen Remote client.

.... T

thanks for all your replies. bignewf i guess you seem to have the right solution but we cannot control the dhcp range of the adsl routers as the vpn client will be used by our users from remote locations. suppose, the user is in a hotel room and tries to access the resources behind the firewall, we will not be able to change the ip address of the router. is there any other vpn client (compatible with netscreen) that assigns a virtual ip address so that both the addresses will be in different subnets?

Your problem might be two-fold. A virtual IP does only help in one direction, as the office network can differentiate between office and remote even if the user's network is the same. But the client cannot.

Would be using Dst-NAT an option? That means that the office addresses are translated to another network by VPN policy. DNS or WINS will not work than, of course, and so NetBIOS names won't be resolved.

Something which confuses me is that NSR should block the local network from being accessed while VPN'd, as the remote network has precedence ...

How large is your network to just reconfigure your internal lan subnet to another IP range?

 It sounds silly but often a simple solution and a little downtime now will avoid more involved troubleshooting. If not an option, I will assist in another solution as Qlemo suggests above

I agree, best option is to change the internal network addresses to something more unusual, let's say 192.168.175.x, to avoid conflicts.

thanks for all the replies. the internal ip address cannot be changed as there are around 10+ servers and 200+ users. we will have to evaluate the dst-nat option. is there anyother option available? or any other client for this purpose?

Another IPSec client would not resolve the issue. Maybe a SSL VPN solution could be interesting.

I have a smaller client on the "0" subnet (192.168.0.x) and I agree that it is a pain in the butt to change. However, the majority of routers that I see are on the "1" subnet, so I don't encounter too many issues and most of the people in the client have laptops and use the Netscreen remote client to access company resources. It has been working thus for half a decade with little problem.

So, while I am empathetic to your position with all those servers, you might re-think "it is not an option to change". Thinking about the ramifications over the long haul, your life will be more difficult if you don't change. ..... T

cisco asa with built-in ssl vpn on model 5510, 550 works great, no software needed for client, easy to deploy. Can be used with email, htp proxy, and port forwarding to allow rdp lan access. works with any os that allows firefox, opera, IE

might want to consider this. Have done many deployments  and solves the issue of troubleshooting client vpn software and connections

being philosophical, change is always more difficult, but for the better. The short amount of time spent on an ip change is worth it. I have encountered this situation often, an sometimes one has to "bit the bullet" and change the ip scheme.  Good learning process also.

(applaus)

I've tried to configure a L2TP-IPSec VPN by using IP Pools on the Juniper security device. But after configuring the Netscreen remote client on a machine running XP SP2 should i create a new network connection for VPN?

please resummarize what you are trying to do at this point, since a lot of time has lapsed since your last post.

thanks

thanks sysexpert. can you please suggest some doc that i can go through. i've followed the netscreen userguide and havent got it to work.

why not send us the actual config, or screenshots of the configuration gui so we can check your settings


thanks