GCIT_Manager
asked on
Can't browse web when VPN over IPSEC using L2TP
Our users have L2TP access to VPN in using IPSEC. They have set everything up correctly on their end and when they connect they can remote desktop to any appropriate machine internally. However they cannot use their internet browser. It comes back with page cannot be displayed.
I'm brand new at using these Netscreen 25 devices. Our firmware is: 5.3.0r4.0
I'm brand new at using these Netscreen 25 devices. Our firmware is: 5.3.0r4.0
split tunneling is not enabled. what device is serving up vpn connections? I might not be of much help if it is not a cisco device, but Ill see what I can do.
ASKER
Netscreen 25 devices. Our firmware is: 5.3.0r4.0
It's a Juniper Firewall.
It's a Juniper Firewall.
Can you paste the sanitized config of your firewall; remove all passwords and hashes; usernames and mask two octets of public IP.
Please update.
Thank you.
Please update.
Thank you.
ASKER
can this be determined form the web?
You can get the config from web; also from CLI, you can issue following command:
get config
then sanitize the config before pasting here as explained earlier.
Thank you.
get config
then sanitize the config before pasting here as explained earlier.
Thank you.
What client software do you use? Juniper Netscreen Remote Client software normally provides split tunnel capability with a standard setup. I use Juniper Netscreen Remote on XP machines and SafeNet Soft Remote on Vista 64-bit machines. ... T
ASKER
i'll check on monday. no time this weekend :-(
ASKER
set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "HTTP" timeout 5
set service "Remote Desktop" protocol tcp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "PWD-REMOVED"
set admin user "USER1" password "PWD-REMOVED" privilege "all"
set admin user "USER2" password "PWD-REMOVED" privilege "all"
set admin port 8080
set admin scs password disable username netscreen
set admin scs password disable username USER1
set admin auth timeout 5
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "Null"
set interface "ethernet3" zone "Null"
set interface "ethernet4" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 172.X.X.1/24
set interface ethernet1 nat
set interface ethernet4 ip 64.X.X.194/29
set interface ethernet4 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet4 ip manageable
unset interface ethernet1 manage snmp
set interface ethernet4 manage ping
set interface ethernet4 manage telnet
set interface ethernet4 manage web
set interface ethernet4 vip untrust 80 "HTTP" 172.X.X.3 manual
set interface ethernet4 vip untrust 443 "HTTPS" 172.X.X.3 manual
set interface ethernet4 vip untrust 3389 "Remote Desktop" 172.X.X.3 manual
set interface "ethernet4" mip 64.X.X.197 host 172.X.X.116 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet4" mip 64.X.X.195 host 172.X.X.113 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet4" mip 64.X.X.196 host 172.X.X.114 netmask 255.255.255.255 vr "trust-vr"
unset flow tcp-syn-check
set domain DOMAIN1.LOCAL
set hostname DOMAIN1_NS25
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 172.X.X.2
set dns host dns2 204.X.X.127
set dns host schedule 06:28
set address "Trust" "172.X.X.0/24" 172.X.X.0 255.255.255.0
set address "Trust" "VPN Trust" 172.X.X.0 255.255.255.0
set address "Untrust" "172.X.X.0/255.255.255.0" 172.X.X.0 255.255.255.0
set address "Untrust" "64.X.X.59/255.255.255.0" 64.X.X.59 255.255.255.0
set ippool "L2TP Pool" 172.X.X.50 172.X.X.60
set user "Admins" uid 1
set user "Admins" type l2tp
set user "Admins" remote ippool "L2TP Pool"
set user "Admins" remote dns1 "172.X.X.2"
set user "Admins" password "PASSWORD_REMOVED"
unset user "Admins" type auth
set user "Admins" "enable"
set user "USER1" uid 12
set user "USER1" type l2tp
set user "USER1" remote ippool "L2TP Pool"
set user "USER1" remote dns1 "172.X.X.2"
set user "USER1" password "PASSWORD_REMOVED"
unset user "USER1" type auth
set user "USER1" "enable"
set user "MYUSERNAME" uid 13
set user "MYUSERNAME" type l2tp
set user "MYUSERNAME" remote ippool "L2TP Pool"
set user "MYUSERNAME" remote dns1 "172.X.X.2"
set user "MYUSERNAME" password "PASSWORD_REMOVED"
unset user "MYUSERNAME" type auth
set user "MYUSERNAME" "enable"
set user "USER3" uid 9
set user "USER3" type l2tp
set user "USER3" remote ippool "L2TP Pool"
set user "USER3" remote dns1 "172.X.X.2"
set user "USER3" password "PASSWORD_REMOVED"
unset user "USER3" type auth
set user "USER3" "enable"
set user "USER2" uid 7
set user "USER2" type l2tp
set user "USER2" remote ippool "L2TP Pool"
set user "USER2" remote dns1 "172.X.X.2"
set user "USER2" password "PASSWORD_REMOVED"
unset user "USER2" type auth
set user "USER2" "enable"
set user "USER4" uid 8
set user "USER4" type l2tp
set user "USER4" remote ippool "L2TP Pool"
set user "USER4" remote dns1 "172.X.X.2"
set user "USER4" password "PASSWORD_REMOVED"
unset user "USER4" type auth
set user "USER4" "enable"
set user "USER5" uid 14
set user "USER5" type l2tp
set user "USER5" remote ippool "L2TP Pool"
set user "USER5" remote dns1 "172.X.X.2"
set user "USER5" password "PASSWORD_REMOVED"
unset user "USER5" type auth
set user "USER5" "enable"
set ike gateway "RDDev1 to GRT" address 64.X.X.59 Main outgoing-interface "ethernet4" preshare "" sec-level standard
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "RDDev1 GRT" gateway "RDDev1 to GRT" no-replay tunnel idletime 0 sec-level standard
set vpn "RDDev1 GRT" monitor optimized rekey
set l2tp default dns1 172.X.X.2
set l2tp default dns2 172.X.X.2
set l2tp default ippool "L2TP Pool"
set l2tp "L2TP-Tun1" id 1 outgoing-interface ethernet4 keepalive 30
set l2tp "L2TP-Tun1" remote-setting ippool "L2TP Pool" dns1 172.X.X.2 dns2 172.X.X.2
set l2tp "L2TP-Tun1" auth server "Local"
set url protocol sc-cpa
exit
set policy id 7 from "Untrust" to "Trust" "172.X.X.0/255.255.255.0" "172.X.X.0/24" "ANY" tunnel vpn "RDDev1 GRT" id 2 pair-policy 6 log count
set policy id 7
set log session-init
exit
set policy id 6 from "Trust" to "Untrust" "172.X.X.0/24" "172.X.X.0/255.255.255.0" "ANY" tunnel vpn "RDDev1 GRT" id 2 pair-policy 7 log count
set policy id 6
set log session-init
exit
set policy id 5 name "Inbound VPN" from "Untrust" to "Trust" "Dial-Up VPN" "VPN Trust" "ANY" tunnel l2tp "L2TP-Tun1" log
set policy id 5
exit
set policy id 1 name "Inbound WWW" from "Untrust" to "Trust" "Any" "VIP(ethernet4)" "HTTP" permit log count
set policy id 1
set service "HTTPS"
exit
set policy id 2 name "Inbound Remote Desktop" from "Untrust" to "Trust" "Any" "VIP(ethernet4)" "Remote Desktop" permit log
set policy id 2
exit
set policy id 3 name "Outbound Access" from "Trust" to "Untrust" "Any" "Any" "DNS" permit log count
set policy id 3
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "MAIL"
set service "NTP"
set service "PING"
set service "Remote Desktop"
set service "TRACEROUTE"
exit
set policy id 8 name "VM6" from "Untrust" to "Trust" "Any" "MIP(64.X.X.197)" "HTTP" permit log
set policy id 8
set service "HTTPS"
exit
set policy id 9 name "VM3" from "Untrust" to "Trust" "Any" "MIP(64.X.X.195)" "HTTP" permit log
set policy id 9
set service "HTTPS"
exit
set policy id 10 name "VM4" from "Untrust" to "Trust" "Any" "MIP(64.X.X.196)" "HTTP" permit log
set policy id 10
set service "HTTPS"
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet4 gateway 64.X.X.193
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "HTTP" timeout 5
set service "Remote Desktop" protocol tcp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "PWD-REMOVED"
set admin user "USER1" password "PWD-REMOVED" privilege "all"
set admin user "USER2" password "PWD-REMOVED" privilege "all"
set admin port 8080
set admin scs password disable username netscreen
set admin scs password disable username USER1
set admin auth timeout 5
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "Null"
set interface "ethernet3" zone "Null"
set interface "ethernet4" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 172.X.X.1/24
set interface ethernet1 nat
set interface ethernet4 ip 64.X.X.194/29
set interface ethernet4 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet4 ip manageable
unset interface ethernet1 manage snmp
set interface ethernet4 manage ping
set interface ethernet4 manage telnet
set interface ethernet4 manage web
set interface ethernet4 vip untrust 80 "HTTP" 172.X.X.3 manual
set interface ethernet4 vip untrust 443 "HTTPS" 172.X.X.3 manual
set interface ethernet4 vip untrust 3389 "Remote Desktop" 172.X.X.3 manual
set interface "ethernet4" mip 64.X.X.197 host 172.X.X.116 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet4" mip 64.X.X.195 host 172.X.X.113 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet4" mip 64.X.X.196 host 172.X.X.114 netmask 255.255.255.255 vr "trust-vr"
unset flow tcp-syn-check
set domain DOMAIN1.LOCAL
set hostname DOMAIN1_NS25
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 172.X.X.2
set dns host dns2 204.X.X.127
set dns host schedule 06:28
set address "Trust" "172.X.X.0/24" 172.X.X.0 255.255.255.0
set address "Trust" "VPN Trust" 172.X.X.0 255.255.255.0
set address "Untrust" "172.X.X.0/255.255.255.0" 172.X.X.0 255.255.255.0
set address "Untrust" "64.X.X.59/255.255.255.0" 64.X.X.59 255.255.255.0
set ippool "L2TP Pool" 172.X.X.50 172.X.X.60
set user "Admins" uid 1
set user "Admins" type l2tp
set user "Admins" remote ippool "L2TP Pool"
set user "Admins" remote dns1 "172.X.X.2"
set user "Admins" password "PASSWORD_REMOVED"
unset user "Admins" type auth
set user "Admins" "enable"
set user "USER1" uid 12
set user "USER1" type l2tp
set user "USER1" remote ippool "L2TP Pool"
set user "USER1" remote dns1 "172.X.X.2"
set user "USER1" password "PASSWORD_REMOVED"
unset user "USER1" type auth
set user "USER1" "enable"
set user "MYUSERNAME" uid 13
set user "MYUSERNAME" type l2tp
set user "MYUSERNAME" remote ippool "L2TP Pool"
set user "MYUSERNAME" remote dns1 "172.X.X.2"
set user "MYUSERNAME" password "PASSWORD_REMOVED"
unset user "MYUSERNAME" type auth
set user "MYUSERNAME" "enable"
set user "USER3" uid 9
set user "USER3" type l2tp
set user "USER3" remote ippool "L2TP Pool"
set user "USER3" remote dns1 "172.X.X.2"
set user "USER3" password "PASSWORD_REMOVED"
unset user "USER3" type auth
set user "USER3" "enable"
set user "USER2" uid 7
set user "USER2" type l2tp
set user "USER2" remote ippool "L2TP Pool"
set user "USER2" remote dns1 "172.X.X.2"
set user "USER2" password "PASSWORD_REMOVED"
unset user "USER2" type auth
set user "USER2" "enable"
set user "USER4" uid 8
set user "USER4" type l2tp
set user "USER4" remote ippool "L2TP Pool"
set user "USER4" remote dns1 "172.X.X.2"
set user "USER4" password "PASSWORD_REMOVED"
unset user "USER4" type auth
set user "USER4" "enable"
set user "USER5" uid 14
set user "USER5" type l2tp
set user "USER5" remote ippool "L2TP Pool"
set user "USER5" remote dns1 "172.X.X.2"
set user "USER5" password "PASSWORD_REMOVED"
unset user "USER5" type auth
set user "USER5" "enable"
set ike gateway "RDDev1 to GRT" address 64.X.X.59 Main outgoing-interface "ethernet4" preshare "" sec-level standard
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "RDDev1 GRT" gateway "RDDev1 to GRT" no-replay tunnel idletime 0 sec-level standard
set vpn "RDDev1 GRT" monitor optimized rekey
set l2tp default dns1 172.X.X.2
set l2tp default dns2 172.X.X.2
set l2tp default ippool "L2TP Pool"
set l2tp "L2TP-Tun1" id 1 outgoing-interface ethernet4 keepalive 30
set l2tp "L2TP-Tun1" remote-setting ippool "L2TP Pool" dns1 172.X.X.2 dns2 172.X.X.2
set l2tp "L2TP-Tun1" auth server "Local"
set url protocol sc-cpa
exit
set policy id 7 from "Untrust" to "Trust" "172.X.X.0/255.255.255.0" "172.X.X.0/24" "ANY" tunnel vpn "RDDev1 GRT" id 2 pair-policy 6 log count
set policy id 7
set log session-init
exit
set policy id 6 from "Trust" to "Untrust" "172.X.X.0/24" "172.X.X.0/255.255.255.0" "ANY" tunnel vpn "RDDev1 GRT" id 2 pair-policy 7 log count
set policy id 6
set log session-init
exit
set policy id 5 name "Inbound VPN" from "Untrust" to "Trust" "Dial-Up VPN" "VPN Trust" "ANY" tunnel l2tp "L2TP-Tun1" log
set policy id 5
exit
set policy id 1 name "Inbound WWW" from "Untrust" to "Trust" "Any" "VIP(ethernet4)" "HTTP" permit log count
set policy id 1
set service "HTTPS"
exit
set policy id 2 name "Inbound Remote Desktop" from "Untrust" to "Trust" "Any" "VIP(ethernet4)" "Remote Desktop" permit log
set policy id 2
exit
set policy id 3 name "Outbound Access" from "Trust" to "Untrust" "Any" "Any" "DNS" permit log count
set policy id 3
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "MAIL"
set service "NTP"
set service "PING"
set service "Remote Desktop"
set service "TRACEROUTE"
exit
set policy id 8 name "VM6" from "Untrust" to "Trust" "Any" "MIP(64.X.X.197)" "HTTP" permit log
set policy id 8
set service "HTTPS"
exit
set policy id 9 name "VM3" from "Untrust" to "Trust" "Any" "MIP(64.X.X.195)" "HTTP" permit log
set policy id 9
set service "HTTPS"
exit
set policy id 10 name "VM4" from "Untrust" to "Trust" "Any" "MIP(64.X.X.196)" "HTTP" permit log
set policy id 10
set service "HTTPS"
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet4 gateway 64.X.X.193
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ASKER
I'm just connecting via the web interface. Users are creating l2tp vpn connection using microsoft's connection wizard.
If users are using Microsoft's client VPN connection, then as far as I know, that is not split tunnel. I have a client where I use that and cannot browse at the same time. I have all my other clients using Juniper Netscreen Remote Client and I can browse just fine. .... T
ASKER
where do you get the remote client software?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks. i've contacted juniper about downloading this since we have support. i'll let you know how it goes.