Question : SSG5 VPN Routing, internal LAN route works, VPN route doesnt.

I have a weird setup in my current client network.

Simple 4 port netgear 100mbit Switch
      /                                                 \
Cisco (static IP 212.xxxx)      Cisco (static IP  static route VPN to other office
      Juniper SSG5
Mail server + Users + wireless router

I configured a permanent route to the 2nd cisco which has an internal address of used this as a gateway for the route)

Internally the route works, LAN users can reach the 193. address range, but the dailin VPN users can reach the 193 address range.
My assumption is that it has something todo with the policies of the VPN.
But if I change the policies to include the 193. range (both server and client)the VPN fails in the 2nd phase negotiations. (The VPN does not have an application SA configured.)
When I remove the extra line in the Shrew soft VPN client IPSEC policies the VPN works fine again.

Is there a way to allow the traffic from the VPN users to the 193. range ?

Also I see in the VPN log there are a lot of DNS request, so I think the client doesnt use their own DNS servers, can I change those as well, that it uses only the remote DNS servers for specific traffic?

Answer : SSG5 VPN Routing, internal LAN route works, VPN route doesnt.

Sorry for my long-term absense. I really had difficulties to get your configuration together, but did not know what to ask to make it more clear.

From your description I reckon you have not used explicit Proxy IDs on SSG. If you don't, the Proxy ID is derived from the policy's address entries.
I've tested back and forth, and the config working for me was by allowing for separate security associations:

  • In SSG: 
    1. Create an copy of your Dial-In VPN P2 definition (AutoKey IKE), change the destination to the 193.x network. Make sure the Proxy ID flag is not checked. Give it an appropriate name, like "Dial-In VPN 193.x" 
    2. Copy your dial-in policy (Untrust to Trust). Change to the 193.x as destination, and the VPN to your newly created P2 definition. 
  • In Shrew:
    Change your "Policy" settings to include both networks, exactly as provided in your SSG policies. 

That's it. The only point you might have difficulties now is that the ShrewSoft VIP is not known by the 193.x side and/or the right-hand Cisco. You might want to try to NAT that address in the corresponding SSG policy, that should help

Random Solutions  
programming4us programming4us