Hi,

I have a Netscreen 5GT. I was setup on the network, as the main gateway, and had VPN configured and working. Recently, I switched routers (to one that could support dual WAN), changed Internet providers and changed the internal subnet (running out of IP's).

I could not manage to get VPN working with the new router (NetGear FVS538), so I tried to reconnect the Netscreen as a secondary router just for VPN. (Actually, I set up the mail server to go through it as well, but that's not important.)

Using the same settings that were already on the router, but changing the relevant areas (subnets, network information) I can still connect to the VPN (authenticate and join the network.) I can not actually see the office network though. I can ping the Netscreen using it's internal IP (10.10.1.2), but I can't ping any other computers on the network.

I've reconfigured the VPN settings about 10 times or more by now, following the examples and documentation I could find, but I still can't get any traffic through to the office network.

One thing that strikes me odd is that when I do an IP Config on the client, it doesn't get assigned a Gateway. The IP, and DNS are correctly assigned, but the gatway field is blank.

I will post a copy of my router conf file below so you can see all the settings.

I would really appreciate it if someone could shed some light on this.

Also, if I should be asking this somewhere else, please let me know.

Thanks.

Note, I've changed my real WAN IP to xxx.xxx.xxx.xxx.
Also, I have a secondary IP of 192.... assigned to the trust Nic. This is because I still have some printers on the network on the old 192 subnet.

ROUTER FILE -----------------------------------------
set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "RWW" protocol tcp src-port 0-65535 dst-port 4125-4125
set service "RWW" + udp src-port 0-65535 dst-port 4125-4125
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "RDP" + udp src-port 0-65535 dst-port 3389-3389
set service "CommerceWorx" protocol tcp src-port 5631-5631 dst-port 21-21
set service "CommerceWorx" + tcp src-port 5632-5632 dst-port 20-20
set service "CommerceWorx" + udp src-port 5631-5631 dst-port 21-21
set service "CommerceWorx" + udp src-port 5632-5632 dst-port 20-20
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "************************"
set admin port 8080
set admin scs password disable username netscreen
set admin auth timeout 45
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.10.0.0/16
set interface trust nat
set interface trust ip 192.168.1.2 255.255.255.0 secondary
set interface untrust ip xxx.xxx.xxx.xxx/32
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust manage-ip 10.10.1.2
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage web
set interface "untrust" mip xxx.xxx.xxx.xxx host 10.10.1.14 netmask 255.255.255.255 vrouter "trust-vr"
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set hostname ns5gt
set dns host dns1 207.164.234.193
set dns host dns2 207.164.234.129
set address "Trust" "LAN" 10.10.0.0 255.255.0.0
set address "Untrust" "update.microsoft.com" update.microsoft.com
set address "Untrust" "www.microsoft.com" www.microsoft.com
set ippool "l2-pool" 10.10.10.100 10.10.10.250
set user "test" uid 21
set user "test" type l2tp
set user "test" password "123"
unset user "test" type auth
set user "test" "enable"
set ike respond-bad-spi 1
set xauth default auth server Local chap
set l2tp default dns1 10.10.1.11
set l2tp default dns2 10.10.1.14
set l2tp default ippool "l2-pool"
set l2tp default ppp-auth chap
set l2tp "l2-tunnel" id 2 outgoing-interface untrust keepalive 60
set l2tp "l2-tunnel" remote-setting ippool "l2-pool"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn state-name "ON"
set pki x509 dn name "test"
set pki x509 dn phone "905-123-123"
set pki x509 dn email "[email protected]"
set pki x509 dn ip "0.0.0.0"
set group address "Untrust" "trusted internet sites"
set group address "Untrust" "trusted internet sites" add "update.microsoft.com"
set group address "Untrust" "trusted internet sites" add "www.microsoft.com"
set group service "HTTP MAIL & RDP"
set group service "HTTP MAIL & RDP" add "HTTP"
set group service "HTTP MAIL & RDP" add "MAIL"
set group service "HTTP MAIL & RDP" add "RDP"
set scheduler "non-working hours" recurrent sunday start 0:0 stop 23:59
set scheduler "non-working hours" recurrent monday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent tuesday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent wednesday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent thursday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent friday start 0:0 stop 7:0 start 18:0 stop 23:59
set scheduler "non-working hours" recurrent saturday start 0:0 stop 23:59
set scheduler "Working hours" recurrent monday start 7:0 stop 18:0
set scheduler "Working hours" recurrent tuesday start 7:0 stop 18:0
set scheduler "Working hours" recurrent wednesday start 7:0 stop 18:0
set scheduler "Working hours" recurrent thursday start 7:0 stop 18:0
set scheduler "Working hours" recurrent friday start 7:0 stop 18:0
set policy id 11 from "Untrust" to "Trust" "Dial-Up VPN" "LAN" "ANY" tunnel l2tp "l2-tunnel" log
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log count
set policy id 2 from "Untrust" to "Trust" "Any" "MIP(xxx.xxx.xxx.xxx)" "HTTPS" permit log count
set policy id 2
set service "POP3"
set service "RWW"
set service "HTTP MAIL & RDP"
exit
set policy id 10 from "Untrust" to "Trust" "Any" "MIP(xxx.xxx.xxx.xxx)" "FTP" permit
set pppoe name "Bell"
set pppoe name "Bell" username "dsl user" password "*******************"
set pppoe name "Bell" idle 0
set pppoe name "Bell" interface untrust
set pppoe name "Bell" auto-connect 5
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.ca.pool.ntp.org"
set ntp server backup1 "1.ca.pool.ntp.org"
set ntp server backup2 "2.ca.pool.ntp.org"
set ntp max-adjustment 3600
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set enable-source-routing
exit
set vrouter "trust-vr"
set enable-source-routing
unset add-default-route
exit