netscreen remoteに関して
現在下記の環境でクライアントから
netscreen remoteでVPN接続を試みています。
PC-A---SSG---network---router--PC-B(NSremote)
SSGのコンフィグは以下のとおり
-------------------------
--略--
unset interface vlan1 ip
set interface trust ip 10.90.10.1/24
set interface trust nat
set interface untrust ip 125.173.97.165/32
set interface untrust nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust vip untrust
--略--
set interface trust dip 4 10.90.10.100 10.90.10.110
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set hostname ns5gt
--略--
set address "Trust" "10.90.10.0/24" 10.90.10.0 255.255.255.0
set address "Trust" "172.31.0.0/16" 172.31.0.0 255.255.0.0
set address "Untrust" "210.154.78.16/29" 210.154.78.16 255.255.255.248
set address "Untrust" "test" 172.16.1.0 255.255.255.0
set ike gateway "gateway for remote" address 124.96.176.211 Main outgoing-interface "untrust" preshare "key==" proposal "pre-g2-3des-sha"
set ike gateway "gateway for remote" nat-traversal
set ike gateway "gateway for remote" nat-traversal udp-checksum
set ike gateway "gateway for remote" nat-traversal keepalive-frequency 100
set ike respond-bad-spi 1
set vpn "vpn for remote" gateway "gateway for remote" replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2 from "Trust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 3 from "Untrust" to "Trust" "Any" "10.90.10.0/24" "ANY" nat src dip-id 4 tunnel vpn "vpn for remote" id 3 log
set policy id 4 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log
set vpn "vpn for remote" proxy-id local-ip 10.90.10.0/24 remote-ip 124.96.176.211/32 "ANY"
set pppoe name "untrust"
set pppoe name "untrust" username "usrname" password "password"
set pppoe name "untrust" interface untrust
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.229.184.0/22 interface trust gateway 10.90.10.2
exit
-----------------------
PC-Bにダイレクトにアドレスを付与した場合はVPNがつながる
のですが、ルータを経由したとたんにつながりません。
SSGのイベントログをみると
-----------------------
Rejected an IKE packet on untrust from 124.96.176.211:60001 to 125.173.97.165:500 with cookies 051edfeb92c884dc and 318e4d73fb325f29 because Phase-1: no user configuration was found for the received IKE ID type: IP Address,1.
-----------------------
となりVPNがはれません。
原因はどこにあるのでしょうか?
よろしくお願いします。
お礼
kuma-kuさんこんにちは! 早速のアドバイスありがとうございます。 無知なもので、大変たすかります。 Firewall認証というのがあるんですね?? もう少し調べてみます。 ありがとうございました。