netscreen vpn tunnel

Hi all,

I've a problem with my new Netscreen SSG140.

I set up several vpn tunnels and I can ping the servers on the other
locations from all my subnets here.

But I cannot ping any server via the tunnels directly from the netscreen
box.

Any idea?

Tia

Chris

--
Christian Rehberger
System Consultant · OCLC PICA GmbH
Grünwalder Weg 28g · 82041 Oberhaching · Germany
t +49-(0)89-61308 333 · f +49-(0)89-61308 399
e c.rehberger@oclcpica.org · w http://www.oclcpica.org

OCLC PICA GmbH
Geschäftsführer:
Christine Magin-Weeger,
Norbert Weinberger
Sitz der Gesellschaft: Oberhaching
HRB München: 113261

Re: netscreen vpn tunnel

Am Tue, 08 Jan 2008 15:31:48 +0100 schrieb Christian Rehberger:

Hi
> I've a problem with my new Netscreen SSG140.
we use some of these too

> I set up several vpn tunnels and I can ping the servers on the other
> locations from all my subnets here.
>
> But I cannot ping any server via the tunnels directly from the netscreen
> box.
>
> Any idea?
it depends on the setup you use (policy based or route based). try the
following first:
get access to the console (not the web frontend),
type: 'set ffilter dst-ip x.x.x.x'

'clear db' <-- no worry it clears only the buffer not the config as well :)

now ping through the tunnel (continuous ping)
type: 'debug flow basic'
type: 'get db stream' now you can following the traffic now and see what
happens with the packets
if you have enough packets captured type: undebug all otherwise the buffer
gets bigger and bigger.

cheers

Re: netscreen vpn tunnel

In article ,
Christian Rehberger wrote:
>Hi all,
>
>I've a problem with my new Netscreen SSG140.
>
>I set up several vpn tunnels and I can ping the servers on the other
>locations from all my subnets here.
>
>But I cannot ping any server via the tunnels directly from the netscreen
>box.
>
>Any idea?

Are you sourcing the ping, e.g.
ping x.x.x.x FROM TRUST (or appropriate interface)

alan

Re: netscreen vpn tunnel

Hi,

first I've forgotten to mention, that I'm using a HA solution with two
netscreen boxes.

>> Any idea?
> it depends on the setup you use (policy based or route based).


it's a route based setup.

> try the
> following first:
> get access to the console (not the web frontend),
> type: 'set ffilter dst-ip x.x.x.x'
>
> 'clear db' <-- no worry it clears only the buffer not the config as well
> :)
> now ping through the tunnel (continuous ping)
> type: 'debug flow basic'
> type: 'get db stream' now you can following the traffic now and see what
> happens with the packets
> if you have enough packets captured type: undebug all otherwise the buffer
> gets bigger and bigger.

I already did this, but I cannot understand the problem :-(
May I send the debugging output to the list?

Chris

Re: netscreen vpn tunnel

Christian Rehberger writes:

>Hi,

>first I've forgotten to mention, that I'm using a HA solution with two
>netscreen boxes.

>>> Any idea?
>> it depends on the setup you use (policy based or route based).


>it's a route based setup.

>> try the
>> following first:
>> get access to the console (not the web frontend),
>> type: 'set ffilter dst-ip x.x.x.x'
>>
>> 'clear db' <-- no worry it clears only the buffer not the config as well
>> :)
>> now ping through the tunnel (continuous ping)
>> type: 'debug flow basic'
>> type: 'get db stream' now you can following the traffic now and see what
>> happens with the packets
>> if you have enough packets captured type: undebug all otherwise the buffer
>> gets bigger and bigger.

>I already did this, but I cannot understand the problem :-(
>May I send the debugging output to the list?

If you watch on the target server of the PING with tcpdump,
does the ICMP echo requests arrive and with which src IP?

matthias

Re: netscreen vpn tunnel

Matthias Apitz wrote:

> If you watch on the target server of the PING with tcpdump,
> does the ICMP echo requests arrive and with which src IP?

Ok, I see the request on the target server. But the address is not the IP of
the trust interface but the IP of the untrust interface of my netscreen
box.
Now it's clear why the ping do not work.

But whats wrong with the setup that the untrust interface is used instead of
the trust interface?

Chris

Re: netscreen vpn tunnel

Am Wed, 09 Jan 2008 14:17:26 +0100 schrieb Christian Rehberger:

> Matthias Apitz wrote:
>
>> If you watch on the target server of the PING with tcpdump,
>> does the ICMP echo requests arrive and with which src IP?
>
> Ok, I see the request on the target server. But the address is not the IP of
> the trust interface but the IP of the untrust interface of my netscreen
> box.
> Now it's clear why the ping do not work.
>
> But whats wrong with the setup that the untrust interface is used instead of
> the trust interface?
>
> Chris

Sound like a general nat (DIP) rule in you policy, so no rule matches for
vpn and I bet there is one from trust to untrust and these make the NAT,
am I right?.
If you want you can also mail the debug output to my emailadress you can
see here. (it's a real one)

cheers

Re: netscreen vpn tunnel

Hi,

> Sound like a general nat (DIP) rule in you policy, so no rule matches for
> vpn and I bet there is one from trust to untrust and these make the NAT,
> am I right?.
> If you want you can also mail the debug output to my emailadress you can
> see here. (it's a real one)

It seems I found the problem!
It was in setting up the tunnel interfaces. I used the Untrust interface in
the following comand:

set interface tunnel.1 ip unnumbered interface ethernet0/8

Thanx all

Chris