Static route through Netscreen Remote: can it be done?

Archived from groups: comp.dcom.vpn (More info?)

Hi -

My network is acessible by via a VPN tunnel via Netscreen Remote 8.3 to a
Netscreen 5GT. The trust interface is 192.168.0.1. Connections to
192.168.0.0/24 hosts from my users' remote PCs work fine. However, we have
a 10.0.0.0/24 network whose gateway is at 192.168.0.2. Unfortunately, there
seems to be no way to tell Windows 2000 to route packets to 10.0.0.0/24 via
192.168.0.1, because the "deterministic network enhancer" which is used by
the Netscreen Remote software is under the radar of basic Windows 2000
TCP/IP. That is, "route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.2 METRIC
1 IF 0x2" does not work, because not unreasonably, there is no official
route to the 192.168.0.0/24 subnet.

Does anybody know whether it is possible to hack this so 10.0.0.0/24 packets
are sent down the invisible VPN interface? Looking at the Netscreen Remote
software, there doesn't appear to be any way to add this, short of creating
a completely separate tunnel for this interface (I imagine that I would have
to bind a 10.0.0.x address to a new VPN gateway, somehow).

Any ideas?

--
Mark Bertenshaw
Kingston upon Thames
UK

Archived from groups: comp.dcom.vpn (More info?)

"Mike Drechsler - SPAM PROTECTED EMAIL"
<mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote in message
news:j8Ooe.52177$W62.10516@fe10.news.easynews.com...
> Mark Alexander Bertenshaw wrote:
> > Hi -
> >
> > My network is acessible by via a VPN tunnel via Netscreen Remote 8.3 to
a
> > Netscreen 5GT. The trust interface is 192.168.0.1. Connections to
> > 192.168.0.0/24 hosts from my users' remote PCs work fine. However, we
have
> > a 10.0.0.0/24 network whose gateway is at 192.168.0.2. Unfortunately,
there
> > seems to be no way to tell Windows 2000 to route packets to 10.0.0.0/24
via
> > 192.168.0.1, because the "deterministic network enhancer" which is used
by
> > the Netscreen Remote software is under the radar of basic Windows 2000
> > TCP/IP. That is, "route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.2
METRIC
> > 1 IF 0x2" does not work, because not unreasonably, there is no official
> > route to the 192.168.0.0/24 subnet.
> >
> > Does anybody know whether it is possible to hack this so 10.0.0.0/24
packets
> > are sent down the invisible VPN interface? Looking at the Netscreen
Remote
> > software, there doesn't appear to be any way to add this, short of
creating
> > a completely separate tunnel for this interface (I imagine that I would
have
> > to bind a 10.0.0.x address to a new VPN gateway, somehow).
> >
> > Any ideas?
> >
> > --
> > Mark Bertenshaw
> > Kingston upon Thames
> > UK
>
> You need to add another subnet to the existing tunnel or if your user
> interface only allows a single local and a single remote subnet when
> defining a tunnel then you will need to create a second tunnel to the
> same endpoint.

That's what I thought. All rather annoying.

--
Mark

Archived from groups: comp.dcom.vpn (More info?)

> NetScreen remote / 5GT will allow you to create a second connection.
>
> Open NS Remote > right click your current "green lock" > copy > paste
> now change the subnet to 10.0.0.0/24 rather than 192.x
>
>
> Open the NetScreen firewall > policies > create a second dialup vpn
> policy matching the proxy id for the 10.0.0.0/24 network
>
>
> this is very simple, you will not have to create a 2nd vpn tunnel.
>

Dave -

Thanks very much! It now works absolutely fine.

--
Mark Bertenshaw
Kingston upon Thames
UK