JackShuker
asked on
Remote clients VPN connect to Juniper Router but cannot access 2nd site through Site VPN
Hello All
My issue is withis some new Juniper SSG 140 that were installed and reccomended by our Telecoms persons.We are not that familiar with the junipers
We have 2 sites both with these routers . There is a site to site VPN setup between the routers
We have remote clients that use dialup VPN to the routers to get on respective networks but they cannot access the other site through the site to site VPN.
Client A connects to Router A and can access local site A but cannot access Site B though Site VPN
Client B connects to Router B and can access local site B but cannot access Site B though Site VPN
If client A is local on site A network then can access Site B without problem
Can any one reccomend some good guides to familiarise myself with possible issues for this situation
Regards
Chris
My issue is withis some new Juniper SSG 140 that were installed and reccomended by our Telecoms persons.We are not that familiar with the junipers
We have 2 sites both with these routers . There is a site to site VPN setup between the routers
We have remote clients that use dialup VPN to the routers to get on respective networks but they cannot access the other site through the site to site VPN.
Client A connects to Router A and can access local site A but cannot access Site B though Site VPN
Client B connects to Router B and can access local site B but cannot access Site B though Site VPN
If client A is local on site A network then can access Site B without problem
Can any one reccomend some good guides to familiarise myself with possible issues for this situation
Regards
Chris
It's a routing issue. Make sure you assign a UNIQUE address pool to the dial-up clients from either gateway. Then configure the routing accordingly.
Off course use a decent VPN client in the first place as it can screw things up as well. What client are you using?
Off course use a decent VPN client in the first place as it can screw things up as well. What client are you using?
ASKER
I think both comments sound correct
The Dialup client is Shrew Soft VPN it connects and gets given the same address pool when connecting to either sites router . I guess this would confuse routing.
Also there has not been a static route added to send traffic back to either Dialup in the other site - this links back to first point.
I thought about the above two points but presumed that the Junipers dealt with the routing in some other way as it was using the firewall and maybe dynamic updates of which clients were connected. I assumed the thridy party had set up correctly as they supposedly knew the router well
I will make some changes tonight and test
The Dialup client is Shrew Soft VPN it connects and gets given the same address pool when connecting to either sites router . I guess this would confuse routing.
Also there has not been a static route added to send traffic back to either Dialup in the other site - this links back to first point.
I thought about the above two points but presumed that the Junipers dealt with the routing in some other way as it was using the firewall and maybe dynamic updates of which clients were connected. I assumed the thridy party had set up correctly as they supposedly knew the router well
I will make some changes tonight and test
Good. Also I suggest a professional IPsec VPN client such as the Juniper recommended NCP Juniper Edition client (www.ncp-e.com).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try the NCP client. It is 30 days free unlimited trial. Also you can contact their technical support during that time free of charge: helpdesk@ncp-e.com. Make sure you uninstall and remove the Shrew client before installing the NCP Juniper client.
ASKER
None of the other answers were relevant enough and I carried on with my own plan
If so then site B needs a route statement pointing back to site A VPN tunnel referencing the ip block assigned to remote VPN users.
For example I have a sonic wall VPN at my corp site. With ip 192.168.200.1/24 my corp LAN is 192.168.16.1/24. At site B I have a separate route statement for each network pointing to the tunnel that my VPN is bound to