Virtual Private Networking → Taking over VP Tunnel environment

Hi all,

I have a new client that has a networking issue between the main office and a remote site. Recently, the Juniper router at the remote site went down and hasn't properly come back up. Therefore, a replacement Netgear box has been purchased and installed in the meantime.

However, the Juniper router had a VP Tunnel which connected the two facilities. So, although the client can browse the Internet, they cannot access Windows shares and printers from the main office.

I'm inheriting their network environment. Both the client and I have very little knowledge of this environment, but we need to fix this "VP Tunnel" as they call it.

I'm a novice with VPN; I know of it, but never had to set it up or fix it. So, first question, a "VP Tunnel" is really just a VPN Tunnel, correct? If so, it sounds like this client has a site-to-site VPN Tunnel?

It does sound like they had a VPN between the sites. As for how they came to call it a VP tunnel, who knows? I'd suggest going to the other site and checking out the setup there to see how they had it implemented. Then you can decide if you want to continue with that setup or change both sites to a different config.

I'm planning to visit the clients' sites tomorrow afternoon, so I'll have a better idea of their exact network config, and access to the equipment, including the failed Juniper router. Once I retrieve this information, I'll post it back here for follow-up advice. Thanks!

If you're lucky the Netgear has the ability to connect via VPN to the router at the main site. You'll need to know the public IP of the router at the main site, the range of IP addresses at the main site that should be available to users at the remote site, and the tunnel password.

Once you configure that info at the remote site then the two sites should automagically link up. The router at the main site is already configured and "looking" for the VPN link at the remote site. It can't find it because the new router hasn't been configured for it.

Sounds like that's the clue needed. What model juniper, and is it completely bricked?

What do they have at the main site that connected the VPN tunnel, and does anyone have access to it?

Regards

OK, here's what I have so far.

1) The Juniper router at the remote site is a Netscreen 5-GT. I am able to view the console (I purchased a serial-to-USB cable), but I cannot login into the unit (I'm given an old admin password). However, the unit does appear to boot successfully while reading the console screen during power cycle tests.

2) The main office has the following network equipment:
--Cisco router (2600 series)
--Juniper Firewall (SSG5-SH)

3) Both sites have a T1 connection. Here's the ASCII network diagram:

[Remote Office] ---------------------------> [Main Office]
Juniper (5GT) --> T1 --> Internet --> T1 --> Cisco --> Juniper SSG --> Internal Workgroup Switch

If you're not able to get in via console, can you get into the5GT's webgui?

Do you know which device at the head office holds the VPN config? The 2600 or the SSG?
My money is on the SSG. Can you get admin access to it?

Regards

I was able to put the 5GT back into place and get the VPN tunnel up and running once again. They're back to normal office functions again, accessing network shares and printers.

However, I couldn't access the WebGUI on the 5GT. I tried using its reported gateway IP + port 80, but that didn't work. I agree and believe the VPN config resides on the SSG, but I haven't confirmed that yet. I'm planning to directly access the main office network equipment on my next visit for more clues.

...so until you a) get access to one of the devices, the 5GT or SSG, b) review its config, and c) figure
out the whole bloody mess, sounds like the rule for everyone onsite is DON'T BREAK ANY OF THE DEVICES
CUZ NO ONE KNOWS HOW IT WORKS!!

Gotta love those kinds of networks... let us know how it goes bbrkdub.

Regards

Did you try the web access via https? Some devices ignore http requests.

I dont see the issue here.
Just use the reset pin and start from scratch. Or simply call the manufacturers and ask for technical assistance instead of playing this guessing game. What, not possible with these units. Are they defective??

Well after rereading, your client hired a guy that knows nothing about VPN tunnels LOL. Too funny should have hired me then, I would have done it for cheaper, except my consults with hellfire would have caused bankruptcy ;-P

What would be easiest is to scrap the entire mixed bag network and replace it with cheaper units that have free firmware upgrades and FREE technical support so one could stop guessing and ask for help at no cost. One could then write up an instruction sheet on how to setup the router and the tunnels on a few typed sheets and even the client could do it when your not available or with assistance on the phone with tech support. Now thats a novel idea. Yup get rid of the string and the tin cans and get some decent stuff.

Both HTTP and HTTPS don't provide access to the Juniper WebUI.

I've already suggested replacing their networking equipment (that was actually the first suggestion) since it's old, unsupported, no one can fully access all the components, and of course this issue will (more than likely) happen again.

Since they're a small business, and they've already purchased a Netgear for the remote office, I'm leaning towards suggesting a Netgear UTM box for the main office. That way, we 1) replace the old equipment and 2) still offer expected functionality like wireless, VPN, and a firewall.

With that in mind, couldn't I just buy the UTM box, directly connect the two Netgear boxes via their WAN ports, and at least configure VPN offsite first?

REALLY dumb question but does any of this gear have a maintenence / support contract of any sort bbrkdub?

AFAIK, SSG5 you may still be able to get some support for it, but the 2600 and 5GT is LONG EOL, I know
that for sure.

Never worked with the Netgear UTM series, so I can't directly comment. I do agree though getting
something that a) is still supported, and b) is controllable / accessible / configurable BY YOU is
a really good idea right now.

Regards

What I want to know is who is buying all this gear in the company without any planning. Destined to stay small bus or no bus at this rate.

I'll have to call about their SSG5, but I'm almost certain it's no longer supported either.

Also, they have no official IT support. There's no dedicated staff to handle these issues--hence the "outsource" to me. Documentation for their networking equipment is both scarce and stale, and that's my current motivation for new (cost-effective) equipment. At least I'll know what's happening, why, and it's properly documented for future reference.

Documentation... translates from some obscure dialect to "leave for some other poor schmuck to do."

Let us know how it goes bbrkdub.

Regards