Link to home
Start Free TrialLog in
Avatar of cssi

asked on

Can't get VPN Client software to connect to Netscreen 5xp through a Cable modem and Linksys Router together

I have a Netscreen 5xp at work as a firewall to a 192.168.0.x network.  I have a cable modem at home from Time Warner's Road Runner.

If I just use the cable modem alone I can get the Netscreen remote client software to connect and actually map network drives and use the corporate email. I believe the reason is that the cable modem is acting as a DHCP server and sending out an IP address to my home computer of 65.x.x.x, and the software translates this somehow to my 192.168.0.x network.

But the problem comes in when I try and insert a Linksys Router (WRT54G) inbetween the cable modem and my home computer so that I can use my wireless laptop too.  The Linksys device is also a DHCP server sending out 192.168.0.x IP addresses.

I have tried everything to get the Netscreen Remote Client software to communicate with the 5xp at the office.  But to no avail.  I changed the Linksys to give out 192.168.1.x, that didn't work.  I have PPTP and IPSEC pass through enabled, that didn't work.  I turned off the DHCP service on the Linksys, that didn't work.

Here's what I would like to do.  I would like to have my home computer be on the same 192.168.0.x subnet so that I can browse net shares and see other computers at work through VNC viewer and Microsoft XP's network browser.

I use to have this working with an old Netgear router but I can't seem to get the Linksys to set up the same way.  Can anyone help?  Please.
Avatar of prueconsulting

You can not have both ends of the tunnel on the same subnet because otherwise the tunnel will not know what is supposed to travel across it .
Avatar of SysExpert
I would set the Linksys to be a simple Access point with no routing at all.
Check the docs and the Linksys site.

I hope this helps !
Avatar of cssi


Well I tried setting the device to act as a router (or dumb hub) but the problem is that the modem is sending out a subnet of 192.168.0.X and that is the same subnet at the office.  I called tech support and they said that they cannot change the modem's behavior.  So I don't know what else to do.
Have you tried specifiying the interface on the NSR?

Actually with Netscreen you can, have both ends on the same subnet. I've done it where the NS was in transparent mode, I haven't tried NAT/ROute mode but should work.

Here are some possiblities.
1) the Linksys is changing the IP address that the NS is requiring in order to form the tunnel
2) the Linksys is blocking VPN traffic.

Let's start there.

1) Turn off the DHCP server on the linksys, and make sure the VPN ports are open.

I hope this helps !
Avatar of cssi


Hold on guys, I finally got a local reseller to get me the Remote software contract so that I can download the latest version.  I won't get it until Friday (9/15/2006) so it will be Mon or Tues of next week until I can install it and see if that fixes my problem.  And it only cost me $20!!! And a week and a half of fighting Juniper for it!!!  Stay tuned.
Once you have your contract you should be able to login to the website and download it.
Check with your reseller, they might have the S# registred under them. Ask them to move it to your login at
Avatar of cssi


OK all, here's where I'm at now.  I finally got a new support contract from Juniper through a reseller for $20.  Just took me two weeks and 50 phone calls!!!

I upgraded the hardware and software remote to the latest versions.  When I try to connect from home I get a message in the log viewer that says, "Error sending driver registration: 10049".

Any thoughts on this one???
Ignore it :)
sorry I should splain a lil more :)

You have possibly a couple problems, 1 rule is using any interface and should be using a specifc. all your rules are right, and you just need to restart the application.

I get them every once in a while, restarting the ap, or manually forming the tunnels seems to fix it.

the error is hurtfull in that it doesn't stop traffic.
Avatar of cssi


OK, here's the scoop.  I figured out why I lost my connection and all of my other users are still working.  It is because I had allowed myself three logins.  Apparently for some reason the OS has a problem with that.  As soon as I changed it back to one login, everything is working.

So now that I have my device and software upgraded and working the old way I had it, it is now time to try what I wanted to do in the first place and that's to have my home computer be on the same IP subnet as the office.

I'm going to try that now and as soon as I have any results, I'll post them.

Thanks for all the suggestions.  Hopefully I'll get this to working soon.
Avatar of cssi


Ok, here's where I'm at now.  I have things set up at home with the same subnet as work.  When I try to connect to the netscreen 5xp device all is OK.  I can even type in the ip address in my IE browser and up pops the netscreen OS screen.  I can login into it and even configure the device from home.

But here's the problem.  I can only get to the netscreen device.  I can't get to any resources on my work network.  No drive shares, no email, VNC doesn't work to shadow my users, and when I browse the network through "my network places" the domain only shows my home subnet's resources.  I can't ping any network servers either.  I can only ping the netscreen 5xp device.

So I think there must be a setting on the netscreen device that is not letting me through.  Do you all have any suggestions about that?

I am now up on version 5.0.0r9.0 on the 5xp device and version 10.7.2 on the Netscreen Remote (which is version 8.7 on the download file).

Thanks, Greg.
Avatar of cssi


In the Netscreen OS software for the 5xp device there is a section under Network called "Zones".  I saw some switches or flags in there but don't know what they mean, for instance:

Under the Name "Trust" this is what I see:
                                  Zone Name:  trust
                     Virtual Router Name:  trust-vr
                  Block Intra-Zone traffic:  <not checked>
  If TCP non SYN, send RESET back:  <checked>
           TCP/IP Reassembly for ALG:  <not checked>
                           Asymmetric VPN:  <not checked>

Under the name "Untrusted"
                                  Zone Name:  untrust
                     Virtual Router Name:  trust-vr
                  Block Intra-Zone traffic:  <checked>
  If TCP non SYN, send RESET back:  <not checked>
           TCP/IP Reassembly for ALG:  <not checked>
                           Asymmetric VPN:  <not checked>

Under the name "MGT"
                        Zone Name:  MGT
           Virtual Router Name:  trust-vr
       Block Intra-Zone traffic:  <checked>

Under the name "VLAN"
                                  Zone Name:  VLAN
                     Virtual Router Name:  trust-vr
                  Block Intra-Zone traffic:  <checked>
  If TCP non SYN, send RESET back:  <checked>
           TCP/IP Reassembly for ALG:  <not checked>

Under the name "V1-trust"
                                   Zone Name:  V1-trust
                      Virtual Router Name:  trust-vr
                                        Layer 2:  VLAN ID: 1
           TCP/IP Reassembly for ALG:  <not checked>
           Services Options:
                   Management Services:  Web UI  <checked>     Telenet  <checked>     SSH  <checked>
                                                      SNMP  <checked>     SSL  <checked>
                   Other Services:  Ping  <checked>       Ident-reset  <unchecked>
           WebAuth:  <unchecked>

Then one last one named "V1-untrusted"  has the same options as V1-trust above but nothing is checked in it.

Would any of these settings be keeping me from accessing network resources???        
so... let's see if I have this right...
your home computer / 24
your work network 192.168.1.x /24
your linksys router is converting you from a 192.168 to a public IP to traverse the net.

Does your NSR and your Netscreen, have a policy allowing the traffic? to the inside network?

We could help more if you show us a sanitized config.

But if you are going through a tunnel to manage the NS, you should have no problems having a tunnel to the inside network.

Avatar of cssi


Jim, my home and work ip's are on 192.168.0.x /24

My linksys router is acting as a gateway which converts from a 192.168.0.x to a public IP.  You are correct.

I do have a policy on the 5xp to allow traffic through a VPN tunnel.

About my configuration file, I'm nervous about displaying it here because it has all of the ip addresses and maps.  Couldn't a hacker use that info to get into our system?

I will email it to you if you want.
Cssi, sanitize config file :) Just remove the passwords, change the usernames, and IP's. :) you can leave the Non routable IP's becaue well, that really won't matter ;)

I can think of a possible reason right now why your not connecting.

Your computer has basically a route saying where to get to the rest of your network (because of the NSR policy) but your network doesn't know how to get to your computer, because it think's your local, not through a VPN.

Try NAT'ing your connection on the NS inbound to your severs. or MIP or VIP. This way the IP your connecting to the servers, truely IS a local IP.

Avatar of cssi


Well Jim, I'm not sure from your comment exactly what I need to do.  Where do I do the NAT'ing?  The only place I see MIP is under Networking->Interfaces.  Not under Policies.  Is this the correct place?

And if yes, what kind of interface do I want to set up, Trusted or Untrusted or Vlan1?  And what should be my Mapped IP address and what should be my Host IP address?

You can try firstly, just using NAT, go into the policy that allows the traffic, and go to advanced, and choose the nat button at the top.
Avatar of cssi


There's not simply a NAT checkbox.  It looks like:

            |  <checkbox>   Source Translation                      (DIP on):  None (Use Egress Interface IP)
    NAT  |
            |  <checkbox>   Destination Translation           <radio button>  Translate to IP:
            |                                                                                <checkbox>   Map to Port:  0
            |                                                                  <radio button>  Translate to IP Range
            |                                                                         -

You want source translation, and using egrass interface ip.
Avatar of cssi


I have a solution finally.  But none of us were even close.  I called the Juniper Tech Supp line now that I have a contract and they helped me get it set up.

Basically in a short version I needed to:

1. Create an IP Pool in whatever subnet, I chose to 255
2. Set up a dummy Corporate user as an IKE user, use a generic email address such as users@<yourdomainname>.com
3. Set up all other remote users as XAuth users, with username and passwords, select the IP pool and put in the DNS and WINS server ip addresses
4. Set up one local group and assign the IKE user created in step two to that group
5. Then create the Gateway, chose the Dialup User Group created in step 4, type in a preshare key, click on the advanced tab button and select Custom, under prephase 1 proposal select pre-g2-3des-sha, check the Enable NAT Traversal box, click the XAuth Server radio button and User Default radio button under that.  Click return and ok.
6. Set up the Autokey IKE.  Give it a name, click on Custom and under Remote Gateway chose Predefined and select the Gateway created in step 5.  Click the Advanced button and select Custom, under Phase 2 Propsal select nopfs-esp-3des-sha, make sure Bind to is none, click return and ok.
7. Set up your policy -- from Untrust to Trust.  Give is a name, Source Address is Address Book Entry select Dial-Up VPN.  Destination Address is Address Book Entry select subnet of your corporate network.  Service can be ANY, Action should be Tunnel,  Tunnel VPN -- select your VPN set up in step 6.  Click to select the radio button that says "Modify matching bidirectional VPN policy.  Check logging and click OK to save.

That's it.  Thanks for trying guys, but this was more complicate than anyone could imagine.  So I will have to withdraw the points because no one had the answer.  Thanks again for trying to help.
Yup, that's one way of doing it.

My way would work too :) But as long as you got it working that's all that matters!

Avatar of Netminder

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I know this is a relatively old post, but it reflects my own situation. I want to create a bi-directional VPN for a Double-Take application. One way VPN (with no WINS or DNS, so LMHOSTS file) is working.
I have a Netscreen 5XP with an old Screen OS (3.0.6) and have found new version of Netscreen-Remote.
But this model has now passed into end-of-life - I cannot buy a support contract, so I can't get the latest ScreeenOS. The current version doesn't allow me to create the reverse Tunnel entry (it tells me to use the Dial-up VPN tunnel, but that isn't listed).
So if anyone can help, that'd be great. (bm at ind-tech dot com would reach me)