Question : SSG5 VPN Routing, internal LAN route works, VPN route doesnt.

I have a weird setup in my current client network.

ISP(Internet)
|
Simple 4 port netgear 100mbit Switch
/ \
Cisco (static IP 212.xxxx) Cisco (static IP 193.xxx) static route VPN to other office
/
Juniper SSG5
|
Switch
|
Mail server + Users + wireless router

I configured a permanent route to the 2nd cisco which has an internal address of 192.168.100.200(I used this as a gateway for the route)

Internally the route works, LAN users can reach the 193. address range, but the dailin VPN users can reach the 193 address range.
My assumption is that it has something todo with the policies of the VPN.
But if I change the policies to include the 193. range (both server and client)the VPN fails in the 2nd phase negotiations. (The VPN does not have an application SA configured.)
When I remove the extra line in the Shrew soft VPN client IPSEC policies the VPN works fine again.

Is there a way to allow the traffic from the VPN users to the 193. range ?

Also I see in the VPN log there are a lot of DNS request, so I think the client doesnt use their own DNS servers, can I change those as well, that it uses only the remote DNS servers for specific traffic?

Answer : SSG5 VPN Routing, internal LAN route works, VPN route doesnt.

Sorry for my long-term absense. I really had difficulties to get your configuration together, but did not know what to ask to make it more clear.

From your description I reckon you have not used explicit Proxy IDs on SSG. If you don't, the Proxy ID is derived from the policy's address entries.
I've tested back and forth, and the config working for me was by allowing for separate security associations:
In SSG:
Create an copy of your Dial-In VPN P2 definition (AutoKey IKE), change the destination to the 193.x network. Make sure the Proxy ID flag is not checked. Give it an appropriate name, like "Dial-In VPN 193.x"
Copy your dial-in policy (Untrust to Trust). Change to the 193.x as destination, and the VPN to your newly created P2 definition.
In Shrew:
Change your "Policy" settings to include both networks, exactly as provided in your SSG policies.
That's it. The only point you might have difficulties now is that the ShrewSoft VIP is not known by the 193.x side and/or the right-hand Cisco. You might want to try to NAT that address in the corresponding SSG policy, that should help

Random Solutions

Export Query to Excel from Access 2007

what is the easy way of hitting a remote server on its availability every 5 secs and start up a batch file when it comes down

How to run an executable packaged inside a JAR?

Install MS Visual Studio .NET/SQL Server and PHP/MySql on the same computer

Command Button Help!!

How to get a formula to calcutate even if one of the fields in it is null

access crosstab query question

How do I add a domain address to my Exchange 2007 mail server?

I have a folder that will have lots of files in them i want to backup *.bak and *.txt files into a zip file using winzip and then name the zip ETC-DD-MM-YYY

How to create a bootable USB drive for Windows installation