Re: Netscreen VPN help needed

<rick@rickrobinson.org> wrote in message
news:m7b052d5biiokgla93ole96tjkjblrhjdt@4ax.com...
>I have a working policy based lan-to-lan tunnel configured on two
> Netscreens.
>
> I also have another zone called 'dmz' on one of the Netscreens, and
> hosts in that zone are unable to access the lan-to-lan tunnel.
>
> In zone dmz, there is no policy for the vpn or a route to the
> destination, so traffic ends up being sent to the default gateway
> instead of the tunnel.
>
> When I tried adding a policy to zone 'dmz' for the vpn traffic
> screenos said it could not because the IKE ID was already in use. I
> also tried to route the traffic to the trust interface and that didn't
> work either.
>
> Can anyone assist and tell me how to configure this so that the other
> zone can access the tunnel?
>
> Thanks in Advance.
> -RLR

Pick one of::
1. Use a route-based tunnel
2. Update your firmware, that sounds like version 3
3. Create a second set of P1 and P2 definintions for the DMZ tunnel on both
sides and treat it as a separate tunnel, use local and remote ID's to
differentiate them.

#1 makes the most sense by far.

Note that your existing policy-based tunnel probably won't pass traffic
bearing DMZ network addresses anyway because the proxy ID's gleaned from the
policies don't include those addresses.

-Russ.
Received on Mon May 1 01:08:59 2006