On 10/24/2011 05:34 AM, Stéphane PERON wrote:
Hi Kevin,
Many thanks for your detailed answer ...
But nothing seems to work ...
I've tried : "Optain topology automaticaly .. " => impossible to contact
the network
In the zywall USG 100, I can't specify a "group" of adresses ... I can
create it, but can't use it to configure vpn connections ..
So, I tried to specify a subnet :
ie :
192.168.0.0/255.255.252.0
I've put the same in VPN Shrew soft ... And I can't get in touch with
the machines on the target network ...
The adress types authorised in the zywall to create a network objet are :
- HOST ( ie : 192.168.0.3)
- RANGE ( ie : 192.168.0.1 to 192.168.3.1 )
- SUBNET ( ie : 192.168.0.0/255.255.255 and when used, the zywall
displays : /24 )
Does anyone succeeded in contacting several sub-networks behind a zywall
usg**** with only one Shrewsoft connection ??
Thanks a lot for your help
Cheers
Stéphane
Le 20/10/2011 05:20, Kevin VPN a écrit :
On 10/19/2011 04:59 AM, Stéphane PERON wrote:
Le 19/10/2011 09:28, Stéphane PERON a écrit :
Hi Tamas,
thanks for you answer but It doesn't not work !!
It only works for one network ...
I use shrewsoft 2.2 ... and try to connect to a zywall usg 100 ...
When I put for example, 192.168.1.0/24 as local policy in the zywall (
phase 2 ) ... And 192.168.1.0 / 255.255.255.0 in the policy tab .. ..I
works very well
But if i put a RANGE of ip adresse in the zywall like ,
192.168.1.0-192.168.3.0 ... And try to add 192.168.1.0 /
255.255.255.0,192.168.2.0 / 255.255.255.0, 192.168.3.0 / 255.255.255.0
in the policy tab
Il doesn't work !!! I can't contact networks
> I'd like to add that, for the time being, I have created as much
> shrewsoft connection as there are networks ..
> The problem is, that I can't contact all the sub-networks when all
> connections are made ... routing for several VPN connections doesn't
> work
Hi Stephane,
The problem, I think, is that for phase 2 negotiation to complete, the
specified policies have to match on each side. However, when you
define the policy as 192.168.1.0-192.168.3.0 on the Zywall and then
put 192.168.1.0/255.255.255.0, 192.168.2.0/255.255.255.0,
192.168.3.0/255.255.255.0 in the Shrew policy, they do NOT appear to
be the same when negotiation is done.
Easiest might be to try the checkbox on the Shrew policy tab that says
"Obtain topology automatically".
You could also try this: Explicitly use 192.168.1.0/24, 192.168.2.0/24
and 192.168.3.0/24 as the subnets in the the zywall. In Shrew, use
192.168.1.0/255.255.255.0, 192.168.2.0/255.255.255.0 and
192.168.3.0/255.255.255.0. This should make the policies match.
If the Zywall won't let you put in multiple subnets, you could use
192.168.0.0/22 (Zywall) and 192.168.0.0/255.255.252.0 (Shrew) although
that might cause problems if 192.168.0.0 is used for something else.
Also, in the zywall, with the policy 192.168.1.0-192.168.3.0, how have
you specified the subnet mask? I'm not actually sure how many IPs that
would include in the third subnet - maybe just one single IP,
192.168.3.0 itself? Or does the Zywall default to a /24 if not specified?
_______________________________________________
Hi Stephane,
Too bad it didn't work.
I took a look at the Zywall manual. It looks like you should be able to
setup a VPN using the VPN wizard. Just select "Site-to-site with
Dynamic Peer" and go from there. In that case, since the Remote Network
will be set to Any, in Shrew policy tab you can set "Obtain topology
automatically or tunnel all".
Are you able to provide us with output from the Zywall log and the Shrew
log when trying the "Obtain topology automatically" option as well as
the 192.168.0.0/255.255.252.0 option?
The instructions are here to generate a log from Shrew:
http://www.shrew.net/support/wiki/BugReportVpnWindows
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
