Netscreen VPN problem

Discussion in 'Tomato Firmware' started by Illegal_Operation, Jun 6, 2007.

  1. Illegal_Operation

    Illegal_Operation LI Guru Member

    Hi, just upgrade my linksys wrt54gs to tomato ver 1.07 but still unable to use my office network resources via vpn... i put the ip address in the dmz but still unable to use network resources... i am able to connect the vpn via netscreen....

  2. roadkill

    roadkill Super Moderator Staff Member Member

    care to elaborate?
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sounds like a problem I had setting up my girlfriends VPN. Make sure your LAN's subnet is different than your office network's subnet. This would cause you to connect to the VPN fine, but access to "network resources" would be unpredictable at best.

    If you are using Windows, open command prompt after connecting to the VPN and type
    ipconfig /all
    . If the ip addresses on the local ethernet card and the VPN adapter share the first three octets (ie, then you need to change your local subnet to something else ( for example).

    Hope that's your problem, and this fixes it, but it's kind of hard to tell without some details...
  4. Illegal_Operation

    Illegal_Operation LI Guru Member

    okay, here are more details:

    1) I using netscreen to vpn via my Linksys WRT54GS, i able to vpn but NOT ABLE to access the network resources. My IP address would be something like

    2) When i switch to dialup, i am ABLE to vpn and access the network resources. Note: There is no other IP addresses being assigned to me when i connected via vpn. Only the public IP address i.e. 202.168.***.***

    3) When i switch directly to my cable modem instead of connecting via my router, i am also ABLE to access the network resources. My IP address would only one public IP address and not from the VPN. i.e 202.168.***.***

    4) I have enabled the VPN option on my linksys (see below)
    IPSec Passthrough: Enable
    PPTP Passthrough: Enable
    L2TP Passthrough: Enable
    Note: If i disable IPSec Passthrough, i will not be able to connect the VPN.

    5) I have port 500 and 4500 in my port forwarding but still no use.

    6) My friend using Dlink and he is able to vpn to my office successfully.

    Any more details that you need?
  5. roadkill

    roadkill Super Moderator Staff Member Member

    I think you need to add 192.168.x.x to your policy trust list
    you can try to replicate setting used by your friend's D-Link

    make sure those ports are forwarded

    * Protocol 50 ESP
    * Protocol 51 AH (Optional)
    * UDP port 500 IKE
    * UDP port 4500 (If you are using NAT-Traversal to tunnel through NAT/other Firewalls)

    NAT-Traversal have a nasty bug in some Netscreen firmware version
  6. Illegal_Operation

    Illegal_Operation LI Guru Member

    Sorry dun quite get what u mean. Where do i add my IP in the policy trust list? In my router? or netscreen client?

    I have already try forward port 50, 500 and 4500 but to no use. I will try again together with port 51 and see whether it helps. thanks
  7. roadkill

    roadkill Super Moderator Staff Member Member

    I assume the Netscreen client could have a policy setting but I would first try to replicate D-Link's settings (maybe netmask there is 10.x.x.x or something)
  8. Illegal_Operation

    Illegal_Operation LI Guru Member

    Just try to give a static ip address and forward port 50, 500, 4500 and 51. This method also no used. It can connect to vpn but cannot use the resources.

    Btw, below is my netscreen security policy, see whether it helps:

    Authentication Method: Pre-Shared Key
    Encrypt Alg: DES
    Hash Alg: MD5
    SA Life: Unspecified
    Key Group: Diffie-Hellman Group 2

    Key Exchange
    SA Life: Unspecified
    Compression: None
    Encrypt Alg: Triple DES
    Hash Alg: SHA-1
    Encapsulation: Tunnel

    Connection Security = Secure
    Remote Party Identity and Addressing
    ID Type = IP Subnet
    Subnet = 10.183.**.**
    Mask =
    Protocol = ALL
    Use Secure Gateway Tunnel
    ID Type = IP address

    Security POlicy
    Select Phase 1 Negotiation Mode = Aggresive Mode
    Enable Replay Detection
  9. roadkill

    roadkill Super Moderator Staff Member Member

    Does the Netscreen VPN client have a network device?
  10. Illegal_Operation

    Illegal_Operation LI Guru Member

    Yah, i think is using Juniper...

    Btw, my friend who is using Dlink is able to connect to the network resources. .... I think must be Linksys problem
  11. roadkill

    roadkill Super Moderator Staff Member Member

    can you replicate the settings from your friend's router netmask/ip addressing?
  12. ifican

    ifican Network Guru Member

    Just for clarification, are you using the netscreen client? Also remove any port forwards you have in place on the wrt as you are only going to cause yourself grief. Once you have the port forwards removed, attempt to connect and let me know what you get?
  13. Illegal_Operation

    Illegal_Operation LI Guru Member

    yup, i am using netscreen client. I remove away the port forwarding just like normal. I try to connect to the vpn, as usual it is successful but when i try to use the network resources, it does not allow me to.

    As for roadkill suggestion, i will try to copy down my friend dlink setting, but i dun find any netmask in my linksys tomato configuration?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice