[j-nsp] VPN up, but unable to forward traffic
Anthony Fajri
fajri at freebsd.or.id
Thu Nov 22 23:06:57 EST 2007
Hi All,
I set up an IPSec VPN in my lab.
below is the scenario:
|my pc| <---> |NS-5GT| <--> L3 switch <--> FW (and do NAT translation) <-->
|NS-50| <--> target pc
the IPSec tunnel is between NS-5GT and NS-50.
NS-5GT use private IP, and the NAT translation is done by FW.
I can bring the VPN up.
the route is also ok. But I am not able to ping from my pc to the target pc.
Please advise.
my pc ip is: 192.168.222.33
target pc: 10.72.220.3
NS-50 public ip: 202.202.202.202
route from target-pc to my pc is already added.
it seems that the packet can not reach the end of the tunnel.
below is some capture (taken from 5GT):
00000001< 202.202.202.202 500 esp: des/sha1 296a7aec 3575 unlim A/U -1
0
00000001> 202.202.202.202 500 esp: des/sha1 b3e83ccb 3575 unlim A/U -1 0
the packet is already sent to tunnel.1
****** 03797.0: <Trust/trust> packet received [60]******
ipid = 30470(7706), @025e8510
packet passed sanity check.
trust:192.168.222.33/7936->10.72.220.3/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <trust>, out <N/A>
chose interface trust as incoming nat if.
flow_first_routing: in <trust>, out <N/A>
search route to (trust, 192.168.222.33->10.72.220.3) in vr trust-vr for
vsd-0/
flag-0/ifp-null
[ Dest] 8.route 10.72.220.3->10.72.220.3, to tunnel.1
routed (x_dst_ip 10.72.220.3) from trust (trust in 0) to tunnel.1
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
--
Anthony Fajri
http://fajri.freebsd.or.id
More information about the juniper-nsp
mailing list