[prev in list] [next in list] [prev in thread] [next in thread]
List: shrew-vpn-help
Subject: [vpn-help] Accessing several networks
From: uracs.tamas () peetandcook ! hu (=?iso-8859-2?Q?Uracs_Tam=E1s?=)
Date: 2011-10-27 7:06:50
Message-ID: E8DAB7DFF3909148BE92FBEC369230CD3133DE84 () SZILVA ! peetandcook ! hu
[Download RAW message or body]
Hi All,
In addition to Kevin's suggestions, the "optain policy automatically" work only if \
the Zywall supports this feature. We are using Juniper devices (they aren't support \
the automatic policy), we overlapped all of our internal networks with a /22 subnet \
mask.
All the best,
Tamas
-----Original Message-----
From: vpn-help-bounces@lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] \
On Behalf Of Kevin VPN
Sent: Thursday, October 20, 2011 5:20 AM
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Accessing several networks
On 10/19/2011 04:59 AM, St?phane PERON wrote:
>
> Le 19/10/2011 09:28, St?phane PERON a ?crit :
> > Hi Tamas,
> >
> > thanks for you answer but It doesn't not work !!
> >
> > It only works for one network ...
> >
> > I use shrewsoft 2.2 ... and try to connect to a zywall usg 100 ...
> >
> > When I put for example, 192.168.1.0/24 as local policy in the zywall
> > ( phase 2 ) ... And 192.168.1.0 / 255.255.255.0 in the policy tab ..
> > ..I works very well
> >
> > But if i put a RANGE of ip adresse in the zywall like ,
> > 192.168.1.0-192.168.3.0 ... And try to add 192.168.1.0 /
> > 255.255.255.0,192.168.2.0 / 255.255.255.0, 192.168.3.0 /
> > 255.255.255.0 in the policy tab
> >
> > Il doesn't work !!! I can't contact networks
> >
> I'd like to add that, for the time being, I have created as much > shrewsoft \
connection as there are networks .. > The problem is, that I can't contact all the \
sub-networks when all > connections are made ... routing for several VPN connections \
doesn't > work
Hi Stephane,
The problem, I think, is that for phase 2 negotiation to complete, the specified \
policies have to match on each side. However, when you define the policy as \
192.168.1.0-192.168.3.0 on the Zywall and then put 192.168.1.0/255.255.255.0, \
192.168.2.0/255.255.255.0, 192.168.3.0/255.255.255.0 in the Shrew policy, they do NOT \
appear to be the same when negotiation is done.
Easiest might be to try the checkbox on the Shrew policy tab that says "Obtain \
topology automatically".
You could also try this: Explicitly use 192.168.1.0/24, 192.168.2.0/24 and \
192.168.3.0/24 as the subnets in the the zywall. In Shrew, use \
192.168.1.0/255.255.255.0, 192.168.2.0/255.255.255.0 and 192.168.3.0/255.255.255.0. \
This should make the policies match.
If the Zywall won't let you put in multiple subnets, you could use
192.168.0.0/22 (Zywall) and 192.168.0.0/255.255.252.0 (Shrew) although that might \
cause problems if 192.168.0.0 is used for something else.
Also, in the zywall, with the policy 192.168.1.0-192.168.3.0, how have you specified \
the subnet mask? I'm not actually sure how many IPs that would include in the third \
subnet - maybe just one single IP, 192.168.3.0 itself? Or does the Zywall default to \
a /24 if not specified? _______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic