Solved

Can't browse web when VPN over IPSEC using L2TP

Posted on 2008-10-28
13
1,376 Views
Last Modified: 2012-05-05
Our users have L2TP access to VPN in using IPSEC. They have set everything up correctly on their end and when they connect they can remote desktop to any appropriate machine internally. However they cannot use their internet browser. It comes back with page cannot be displayed.

I'm brand new at using these Netscreen 25 devices. Our firmware is: 5.3.0r4.0
0
Comment
Question by:GCIT_Manager
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 5

Expert Comment

by:sharedit
ID: 22835945
split tunneling is not enabled.  what device is serving up vpn connections? I might not be of much help if it is not a cisco device, but Ill see what I can do.

0
 

Author Comment

by:GCIT_Manager
ID: 22839865
Netscreen 25 devices. Our firmware is: 5.3.0r4.0

It's a Juniper Firewall.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22856698
Can you paste the sanitized config of your firewall; remove all passwords and hashes; usernames and mask two octets of public IP.

Please update.

Thank you.
0
 

Author Comment

by:GCIT_Manager
ID: 22857368
can this be determined form the web?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22858015
You can get the config from web; also from CLI, you can issue following command:
get config

then sanitize the config before pasting here as explained earlier.

Thank you.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 22858192
What client software do you use?  Juniper Netscreen Remote Client software normally provides split tunnel capability with a standard setup. I use Juniper Netscreen Remote on XP machines and SafeNet Soft Remote on Vista 64-bit machines. ... T
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:GCIT_Manager
ID: 22858863
i'll check on monday. no time this weekend :-(
0
 

Author Comment

by:GCIT_Manager
ID: 22866891
set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "HTTP" timeout 5
set service "Remote Desktop" protocol tcp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "PWD-REMOVED"
set admin user "USER1" password "PWD-REMOVED" privilege "all"
set admin user "USER2" password "PWD-REMOVED" privilege "all"
set admin port 8080
set admin scs password disable username netscreen
set admin scs password disable username USER1
set admin auth timeout 5
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "Null"
set interface "ethernet3" zone "Null"
set interface "ethernet4" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 172.X.X.1/24
set interface ethernet1 nat
set interface ethernet4 ip 64.X.X.194/29
set interface ethernet4 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet4 ip manageable
unset interface ethernet1 manage snmp
set interface ethernet4 manage ping
set interface ethernet4 manage telnet
set interface ethernet4 manage web
set interface ethernet4 vip untrust 80 "HTTP" 172.X.X.3 manual
set interface ethernet4 vip untrust 443 "HTTPS" 172.X.X.3 manual
set interface ethernet4 vip untrust 3389 "Remote Desktop" 172.X.X.3 manual
set interface "ethernet4" mip 64.X.X.197 host 172.X.X.116 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet4" mip 64.X.X.195 host 172.X.X.113 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet4" mip 64.X.X.196 host 172.X.X.114 netmask 255.255.255.255 vr "trust-vr"
unset flow tcp-syn-check
set domain DOMAIN1.LOCAL
set hostname DOMAIN1_NS25
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 172.X.X.2
set dns host dns2 204.X.X.127
set dns host schedule 06:28
set address "Trust" "172.X.X.0/24" 172.X.X.0 255.255.255.0
set address "Trust" "VPN Trust" 172.X.X.0 255.255.255.0
set address "Untrust" "172.X.X.0/255.255.255.0" 172.X.X.0 255.255.255.0
set address "Untrust" "64.X.X.59/255.255.255.0" 64.X.X.59 255.255.255.0
set ippool "L2TP Pool" 172.X.X.50 172.X.X.60
set user "Admins" uid 1
set user "Admins" type  l2tp
set user "Admins" remote ippool "L2TP Pool"
set user "Admins" remote dns1 "172.X.X.2"
set user "Admins" password "PASSWORD_REMOVED"
unset user "Admins" type auth
set user "Admins" "enable"
set user "USER1" uid 12
set user "USER1" type  l2tp
set user "USER1" remote ippool "L2TP Pool"
set user "USER1" remote dns1 "172.X.X.2"
set user "USER1" password "PASSWORD_REMOVED"
unset user "USER1" type auth
set user "USER1" "enable"
set user "MYUSERNAME" uid 13
set user "MYUSERNAME" type  l2tp
set user "MYUSERNAME" remote ippool "L2TP Pool"
set user "MYUSERNAME" remote dns1 "172.X.X.2"
set user "MYUSERNAME" password "PASSWORD_REMOVED"
unset user "MYUSERNAME" type auth
set user "MYUSERNAME" "enable"
set user "USER3" uid 9
set user "USER3" type  l2tp
set user "USER3" remote ippool "L2TP Pool"
set user "USER3" remote dns1 "172.X.X.2"
set user "USER3" password "PASSWORD_REMOVED"
unset user "USER3" type auth
set user "USER3" "enable"
set user "USER2" uid 7
set user "USER2" type  l2tp
set user "USER2" remote ippool "L2TP Pool"
set user "USER2" remote dns1 "172.X.X.2"
set user "USER2" password "PASSWORD_REMOVED"
unset user "USER2" type auth
set user "USER2" "enable"
set user "USER4" uid 8
set user "USER4" type  l2tp
set user "USER4" remote ippool "L2TP Pool"
set user "USER4" remote dns1 "172.X.X.2"
set user "USER4" password "PASSWORD_REMOVED"
unset user "USER4" type auth
set user "USER4" "enable"
set user "USER5" uid 14
set user "USER5" type  l2tp
set user "USER5" remote ippool "L2TP Pool"
set user "USER5" remote dns1 "172.X.X.2"
set user "USER5" password "PASSWORD_REMOVED"
unset user "USER5" type auth
set user "USER5" "enable"
set ike gateway "RDDev1 to GRT" address 64.X.X.59 Main outgoing-interface "ethernet4" preshare "" sec-level standard
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "RDDev1 GRT" gateway "RDDev1 to GRT" no-replay tunnel idletime 0 sec-level standard
set vpn "RDDev1 GRT" monitor optimized rekey
set l2tp default dns1 172.X.X.2
set l2tp default dns2 172.X.X.2
set l2tp default ippool "L2TP Pool"
set l2tp "L2TP-Tun1" id 1 outgoing-interface ethernet4 keepalive 30
set l2tp "L2TP-Tun1" remote-setting ippool "L2TP Pool" dns1 172.X.X.2 dns2 172.X.X.2
set l2tp "L2TP-Tun1" auth server "Local"
set url protocol sc-cpa
exit
set policy id 7 from "Untrust" to "Trust"  "172.X.X.0/255.255.255.0" "172.X.X.0/24" "ANY" tunnel vpn "RDDev1 GRT" id 2 pair-policy 6 log count
set policy id 7
set log session-init
exit
set policy id 6 from "Trust" to "Untrust"  "172.X.X.0/24" "172.X.X.0/255.255.255.0" "ANY" tunnel vpn "RDDev1 GRT" id 2 pair-policy 7 log count
set policy id 6
set log session-init
exit
set policy id 5 name "Inbound VPN" from "Untrust" to "Trust"  "Dial-Up VPN" "VPN Trust" "ANY" tunnel l2tp "L2TP-Tun1" log
set policy id 5
exit
set policy id 1 name "Inbound WWW" from "Untrust" to "Trust"  "Any" "VIP(ethernet4)" "HTTP" permit log count
set policy id 1
set service "HTTPS"
exit
set policy id 2 name "Inbound Remote Desktop" from "Untrust" to "Trust"  "Any" "VIP(ethernet4)" "Remote Desktop" permit log
set policy id 2
exit
set policy id 3 name "Outbound Access" from "Trust" to "Untrust"  "Any" "Any" "DNS" permit log count
set policy id 3
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "MAIL"
set service "NTP"
set service "PING"
set service "Remote Desktop"
set service "TRACEROUTE"
exit
set policy id 8 name "VM6" from "Untrust" to "Trust"  "Any" "MIP(64.X.X.197)" "HTTP" permit log
set policy id 8
set service "HTTPS"
exit
set policy id 9 name "VM3" from "Untrust" to "Trust"  "Any" "MIP(64.X.X.195)" "HTTP" permit log
set policy id 9
set service "HTTPS"
exit
set policy id 10 name "VM4" from "Untrust" to "Trust"  "Any" "MIP(64.X.X.196)" "HTTP" permit log
set policy id 10
set service "HTTPS"
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet4 gateway 64.X.X.193
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
 

Author Comment

by:GCIT_Manager
ID: 22866896
I'm just connecting via the web interface. Users are creating l2tp vpn connection using microsoft's connection wizard.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 22866934
If users are using Microsoft's client VPN connection, then as far as I know, that is not split tunnel. I have a client where I use that and cannot browse at the same time. I have all my other clients using Juniper Netscreen Remote Client and I can browse just fine. .... T
0
 

Author Comment

by:GCIT_Manager
ID: 22866949
where do you get the remote client software?

0
 
LVL 90

Accepted Solution

by:
John Hurst earned 125 total points
ID: 22866985
I got the remote client software from my local computer vendor in Toronto (a large, Canada-wide vendor), so some nearby reseller should be able to help you. You would also need help in configuring the software (VPN's are not intuitively trivial). Netscreen sells in quantity of 10's which is usually OK for a small business.

You can also buy similar software from SafeNet (which is, in fact, the maker of the remote client software that Netscreen re-sells). In quantiities of 1, however, SoftRemote (SafeNet) is expensive.

Best bet - talk to a local vendor who can both sell and configure the software.  ... T
0
 

Author Comment

by:GCIT_Manager
ID: 22867100
thanks. i've contacted juniper about downloading this since we have support. i'll let you know how it goes.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now