Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...love the site and am constantly recommending it to (selected !) clients here in ireland..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > MIS/IT > Security Solutions > NetScreen solutions Forum

VPN tunnel between Netscreen and LinksysHelpful Member! 

thread907-1399858
Read More Threads Like This One
mingtmak (TechnicalUser)
17 Aug 07 19:43
referring to thread907-566205: Linsksys Dynamic Netscreen Static

I'm having trouble setting up a VPN between a Linksys (Dynamic IP) and a Netscreen-10 (Static IP).
I've attempted what was suggested in the above thread, but haven't been able to get it working still.
I'm using the GUI to setup the netscreen. There is already a tunnel from another linksys (same model - BEFVP41) but the IP on that linksys is static. (this Tunnel was set up by a different person).

I've attempted setting it up as a dialup user and as a "dynamic IP" with a peer id.

Any help would be appreciated. I'm also not as familiar with Netscreen firewalls.

- Jon
Helpful Member!  Packet7 (IS/IT--Management)
18 Aug 07 8:31
Hello Jon,

I would setup a Policy Based VPN and configured the Netscreen side for "Agressive Mode".  There are Juniper documents for this type of setup.  I have never tried to build a VPN between a Linksys Router and a Netscreen, but it should work.  If you want, I could help you debug the VPN from the CLI.  Let me know if you come across any issues.

Rgds,

John
mingtmak (TechnicalUser)
21 Aug 07 19:22
Thanks, I will try to obtain a CLI config and post it.

As mentioned before, there is already a site to site tunnel established on a static IP'd linksys.
Would there be issues (in terms of VPN establishment) if the 2 remote networks had the same subnet?
Head office (netscreen) - 192.168.1.0
Remote office 1 (linksys - static) - 192.168.7.0
Remote office 2 (linksys - dynamic) - 192.168.7.0

Remote office 2 was using client vpn software to connect to the netscreen with no issues before.
I'm not concerned with the routing itself as I can always change the subnets later.

Could you direct me to some documents to create a policy based VPN? I've been searching but they either require a Juniper support contract or they're unrelated.

Thanks!

- Jon
Packet7 (IS/IT--Management)
21 Aug 07 20:27
Hey Jon,

If the destination networks overlap, the Netscreen will be unable to encrypt the data into the correct tunnel.  Basically, the first active VPN and route will prevail.  That said, I would renumber the second remote Network to 192.168.2.0/24.  Regarding the documentation, what ScreenOS are you running?  I will try and get you a copy of the Admin Guide.  Hope this helps.

Rgds,

John
mingtmak (TechnicalUser)
29 Aug 07 18:39
ok, I've changed the networks. So the routing shouldn't be an issue....once a tunnel is established

below is the config. "ECC Tunnel" is a current site-to-site VPN with a static IP that is working. "OLP Tunnel" is config for a dyanmic IP endpoint and not working.
Let me know if lines are missing, I've copied it from Hyperterminal. I also deleted some dialup tunnels that are used on and off. So took them out hopefully to not cause confusion.

afw1-1-> get config                   
Total Config size 11575:                        
set auth type 0               
set auth timeout 10                   
set clock "timezone" 7                      
set admin format dos                    
set admin name "XXXX"                        
set admin password XXXX                                                
set admin sys-ip 0.0.0.0                        
set admin port 2100                   
set admin auth timeout 10                         
set admin auth type Local                         
unset admin hw-reset                    
set ip tftp retry 10                    
set ip tftp timeout 2                     
set interface trust ip 192.168.1.5 255.255.255.0                                                
set interface untrust ip X.X.X.X 255.255.255.0                                                      
set interface untrust gateway X.X.X.X                                           
set interface trust manage ping                               
set interface trust manage scs                              
set interface trust manage telnet                                 
unset interface trust manage snmp                                 
set interface trust manage global                                 
--- more ---            
set interface trust manage global-pro                                     
set interface trust manage ssl                              
set interface trust manage web                              
unset interface trust ident-reset                                 
unset interface untrust manage ping                                   
unset interface untrust manage scs                                  
unset interface untrust manage telnet                                     
unset interface untrust manage snmp                                   
unset interface untrust manage global                                     
unset interface untrust m                       
unset interface untrust manage ssl                                  
unset interface untrust manage web                                  
unset interface untrust ident-reset                                   
set interface DMZ manage ping                             
unset interface DMZ manage scs                              
unset interface DMZ manage telnet                                 
unset interface DMZ manage snmp                               
unset interface DMZ manage global                                 
unset interface DMZ manage global-pro                                     
unset interface DMZ manage ssl                              
unset interface DMZ manage web                              
unset interface DMZ ident-reset                               
--- more ---            
set interface trust dip 4 192.168.1.50 192.168.1.254                                                    
set flow mac-flooding                     
set flow check-session                      
set domain XXX.XXX                        
set hostname XXXX                   
set url fail-mode permit                        
set address untrust "ECCLan" 192.168.7.0 255.255.255.0                                                      
set address untrust "OLP LAN" 192.168.8.0 255.255.255.0                                                       
set address trust "AS400" 192.168.1.1 255.255.255.0 "Connection to AS400"                                                                         
set syn-threshold 200                     
set firewall tear-drop                      
set firewall syn-flood                      
set firewall ip-spoofing                        
set firewall ping-of-death                          
set firewall src-route                      
set firewall land                 
set firewall icmp-flood                       
set firewall udp-flood                      
set firewall winnuke                    
set firewall port-scan                      
set firewall i            
unset firewall applet                     
--- more ---            
unset firewall bypass-others-ipsec                                  
unset firewall bypass-non-ip                            
unset firewall session-threshold source-ip-based                                                
set snmp name "XXXX"                      
                             
set user "ECCtunnel" ike-id fqdn "ecctunnel" share-limit 5                                                          
set user "ECCtunnel" type  ike                              
set user "ECCtunnel" "enable"                             
    
set user "olptunnel" ike-id fqdn "olptunnel" share-limit 1                                                          
set user "olptunnel" type  ike                              
set user "olptunnel" password "type"                                    
unset user "olptunnel" type auth                                
set user "olptunnel" "enable"                             

                                                       
set ike gateway "ECC Tunnel" ip X.X.X.X Main preshare "ecctunne1" proposal                                                                                
 "pre-g2-3des-sha"                  
set ike gateway  "ECC Tunnel" nat-traversal                                           
unset ike gateway "ECC Tunnel" nat-traversal udp-checksum                                                         
--- more ---            
set ike gateway "ECC Tunnel" nat-traversal keepalive-frequency 0                                                                
                                                                        
set ike gateway "OLP Gateway" ip 0.0.0.0 id "olp" Main preshare "XXXXX" propos                                                                                
al "pre-g2-3des-sha"                    
unset ike gateway "OLP Gateway" nat-traversal udp-checksum                                                          
set ike gateway "OLP Gateway" nat-traversal keepalive-frequency 5                                                                 
set ike policy-checking                       
set ike respond-bad-spi 1                         
             
set vpn "Ecc tunnel auto ike" id 34 gateway "ECC Tunnel" no-replay tunnel idleti                                                                              

  
me 0 proposal "nopfs-esp-3des-sha"                                  
                  
--- more ---            
set vpn " OLP Auto_IKE" id 39 gateway "OLP Gateway" no-replay tunnel idletime 0                                                                               
proposal "nopfs-esp-3des-sha"                             
set l2tp default               
set l2tp default ppp-auth any                             
set l2tp default radius-port 1645                                 
set ike id-mode subnet                      
set traffic-shaping ip_precedence 7 6 5 4 3 2 1 0                                                 
set policy id 3 name "AS400" incoming "Dial-Up VPN" "AS400" "ANY" Tunnel vpn "Au                                                                              

  
tokeyIke_P2" id 26                  
set policy id 2 incoming "Dial-Up VPN" "AS400" "ANY" Tunnel vpn "CementeryAutoKe                                                                              

  
yIKE1_P2" id 27               
set policy id 4 name "Our Lady Of Peace Policy" incoming "Dial-Up VPN" "AS400" "                                                                              

  
ANY" Tunnel vpn "OurLadyAutoKeyIKE_P2" id 28                                            

set policy id 12 name "outbound" outgoing "Inside Any" "Outside Any" "ANY" nat P
ermit
set policy id 13 name "ECCAccess Policy" incoming "ECCLan" "AS400" "ANY" Tunnel
vpn "Ecc tunnel auto ike" id 35
set policy id 14 name "ECCAccess Policy" outgoing "AS400" "ECCLan" "ANY" Tunnel
vpn "Ecc tunnel auto ike" id 35
set policy id 16 name "OLP VPN Policy" outgoing "AS400" "OLP LAN" "ANY" Tunnel v
pn " OLP Auto_IKE" id 40 log
set policy id 17 name "OLP VPN Policy" incoming "OLP LAN" "AS400" "ANY" Tunnel v
pn " OLP Auto_IKE" id 40 log
--- more ---
set dhcp server service
set dhcp server ip 192.168.1.50 to 192.168.1.254
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 X.X.X.X
set dns host dns2 X.X.X.X
set dns host schedule 00:00


- Jon
Packet7 (IS/IT--Management)
29 Aug 07 23:04
Hi,

I didn't see anything in the config.  Have you tried to debug the VPN?  Try the following:

debug ike all
clear db
<test by generating traffic>
undebug all
get db str

Post the results and I will have a look.

Rgds,

John
Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To NetScreen solutions

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close