IPSEC tunnel to internal network assistance 1

[nkew]

Dear Experts,

I have set up an IPSEC tunnel between mobile sites and our internal network.

The tunnel works perfectly and I'm able to access all internal hosts in our network.

In addition to these, I'd like to be able to access one or two external addresses.

Could anybody advise how I would add a rule enabling users who have successfully established an IPSEC connection to access these IPs?

Many thanks in advance,

Nick

From Trust To Untrust, total policy: 4
34 Internal Network #1 Vodafone Handset Range #1 ANY
32 Internal Network #1 Vodafone Handset Range #2 ANY

From Untrust To Trust, total policy: 5
35 Vodafone Handset Range #1 --> Internal Network #1 ANY
33 Vodafone Handset Range #2 --> Internal Network #1 ANY

 

[Packet7]

Hi,

Are you trying to route dial-up IPSec clients from Untrust to Trust back out to the Internet? If so, you would need to convert your VPN to route based. Policy based VPN's are unable to route like route based VPN's do. Let me know.

Rgds,

John

 

[nkew]

Hi John,

Many thanks for responding to my post.

I want to allow my wireless clients access to one or two sites on the Internet (they are vending machines so require authorization for payment etc) so yes, I want to let them back out onto the Internet.

The machines are connected via a GPRS router connecting to a Cisco router at our ISP (Vodafone), with an IPSEC tunnel between this and our Netscreen firewall.

3G Router -->
Cisco router -->
[IPSEC] <-->
Netscreen Firewall
Our Internal Network (192.168.1.0/24)

I'm a bit stumped as to how I would go about setting up a route based VPN - would this require changes on my ISP's router as this is a lengthy process?!

Thanks

Nick

 

[Packet7]

Hi,

It is a lengthy process. Is your remote site connected to the Internet or are you running the IPSec tunnel over a private circuit? If the site has internet access, I would provide DNS and Internet access to those hosts at the local site. Let me know.

Rgds,

John

 

[nkew]

Hi John,

The remote site isn't connected to the Internet.

It is routed through a private GPRS Access Point and doesn't have public internet access.

Nick

 

[Packet7]

Hi,

OK, let's see if I can summarize the steps for you. I would:
1. Create a VPN zone
2. Create a tunnel interface
3. Remove the Policy based VPN Policies
4. Bind the VPN to the Tunnel Interface
5. Configure the Proxy ID to match the endpoints
6. Add the appropriate policies (e.g. VPN to Trust, VPN to Untrust)
7. Add the appropriate routes to reach VPN clients via Tunnel Interface.

Note: step 6 includes creating normal policies, not VPN rules.

I would backup the configuration before testing this out. Let me know if you have any questions.

Rgds,

John

 

[nkew]

Hi John,

Thanks for taking the time to outline the steps.

Just for clarity, would you mind just double checking the steps I'm taking to get me started - bear with me as I stumble around with this!

1) Create a VPN zone in Network | Zones with:
Zone Type: 'Tunnel Out Zone' set to Untrust
Virtual Router: untrust-vr

Nick

 

[Packet7]

Hi Nick,

What ScreenOS are you using?

Rgds,

John

 

[nkew]

Hi John.

Looks like it's 5.3.0 r4.0

Nick

 

[Packet7]

OK, the zone type is security.

 

[nkew]

Thanks for this John.

I've completed the following

====================================
Created Zone
====================================

VPN Zone untrust-vr Root null Security(L3)

====================================
Created Tunnel
====================================

tunnel.2 0.0.0.0/0 VPN Zone Tunnel Down

I deleted all my old policies and backed up.

====================================
Bound tunnel to Vodafone VPN
====================================

I have bound tunnel.2 to Vodafone VPN


====================================
Configure proxy ID to match endpoints
====================================

Not 100% sure here... I have created the following Autokey Advanced > Gateway

To Vodafone Static 212.183.xxx.xxx - Custom

====================================
I've created the following policies
====================================

From VPN Zone To Trust, total policy: 1

42 Any Internal Network #1 ANY Edit Clone Remove

From VPN Zone To Untrust, total policy: 1

(Not bound to a tunnel - is this correct?)

43 Any Vodafone Handset Range #1 ANY

(Not bound to a tunnel - is this correct?)

====================================
Add routes to reach clients...
====================================

Not 100% sure with this one...

I take it I select my tunnel.2 instance, but what have I specified as the gateway address?

Your feedback is greatly appreciated.

Would be great to crack this!

Nick

 

[nkew]

I should also point out that the Vodafone end point is 212.183.xxx.xxx

Our end point is
82.108.xxx.xxx

I can't change the Vodafone end point or our end point in the Vodafone router easily...

The Vodafone router is also configured to route

10.10.1.0/24 to 192.168.1.0/24 and
10.10.2.0/24 to 192.168.2.0/24

Just to confused things!!

Nick

 

[Packet7]

Hi,

You can add routes in the appropriate vr for your remote VPN clients. For example, if your VPN clients are on the 10.10.1.0/24 subnet, you can add:

set vr trust route 10.10.1.0 255.255.255.0 int tun.2

This ensures the return routes are routed via the tunnel interface and not out your untrust. Hope this helps.

Rgds,

John

 

[nkew]

Thanks John,

I think I understand... so 10.10.1.0/24 is on the Vodafone side.. but how does it route to the private network?

Did everything look OK in the config 2 posts above?

Nick

 

[Packet7]

Hi,

I am having a tough time with the formatting. Can you post your config? Fell free to "xxx" the sensitive info.

Rgds,

John

 

[nkew]

Hi John,

I have posted the config below:

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "user"
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "VPN Zone"
set zone "VPN Zone" vrouter "untrust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "VPN Zone" tcp-rst
set zone "Trust" screen alarm-without-drop
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen ip-filter-src
set zone "Trust" screen land
set zone "Trust" screen syn-frag
set zone "Trust" screen tcp-no-flag
set zone "Trust" screen unknown-protocol
set zone "Trust" screen ip-bad-option
set zone "Trust" screen ip-record-route
set zone "Trust" screen ip-timestamp-opt
set zone "Trust" screen ip-security-opt
set zone "Trust" screen ip-loose-src-route
set zone "Trust" screen ip-strict-src-route
set zone "Trust" screen ip-stream-opt
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen syn-fin
set zone "Trust" screen fin-no-ack
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen block-frag
set zone "Trust" screen limit-session destination-ip-based
set zone "Trust" screen component-block zip
set zone "Trust" screen component-block jar
set zone "Trust" screen component-block exe
set zone "Trust" screen component-block activex
set zone "Trust" screen icmp-id
set zone "Trust" screen ip-spoofing drop-no-rpf-route
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen component-block zip
set zone "Untrust" screen component-block jar
set zone "Untrust" screen component-block exe
set zone "Untrust" screen component-block activex
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "VPN Zone"
unset interface vlan1 ip
set interface ethernet1 ip 192.168.1.1/24
set interface ethernet1 nat
set interface ethernet2 ip 192.168.2.1/24
set interface ethernet2 nat
set interface ethernet3 ip 82.xxx.xxx.56/27
set interface ethernet3 nat
set interface tunnel.1 ip unnumbered interface ethernet3
set interface ethernet3 gateway 82.xxx.xxx.33
set interface ethernet3 mtu 1500
set interface tunnel.2 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
set interface ethernet1 manage mtrace
set interface ethernet2 manage ssh
set interface ethernet2 manage telnet
set interface ethernet2 manage snmp
set interface ethernet2 manage web
set interface ethernet3 manage ping
set interface ethernet3 manage ssh
set interface ethernet3 manage telnet
set interface ethernet3 manage snmp
set interface ethernet3 manage web
set interface vlan1 manage mtrace
set interface ethernet1 dhcp server service
set interface ethernet1 dhcp server enable
set interface ethernet1 dhcp server option gateway 192.168.1.1
set interface ethernet1 dhcp server option netmask 255.255.255.0
set interface ethernet1 dhcp server option dns1 192.168.2.10
set interface ethernet1 dhcp server ip 192.168.1.100 to 192.168.1.150
set interface "ethernet3" mip 82.xxx.xxx.43 host 192.168.2.30 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.42 host 192.168.2.11 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.60 host 192.168.2.31 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.41 host 192.168.2.20 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.44 host 192.168.2.12 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.40 host 192.168.2.10 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.37 host 192.168.2.99 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.38 host 192.168.2.150 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.39 host 192.168.1.201 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.45 host 10.10.1.11 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname ns25
set dns host dns1 212.xxx.xxx.36
set dns host dns2 195.xxx.xxx.36
set address "Trust" "Internal Network #1" 192.168.1.0 255.255.255.0
set address "Untrust" "Grow Sales" growsales.co.uk
set address "Untrust" "Vodafone Handset Range #1" 10.10.1.0 255.255.255.0
set address "Untrust" "Vodafone Handset Range #2" 10.10.2.0 255.255.255.0
set address "DMZ" "Internal Network #2" 192.168.2.0 255.255.255.0
set user "nick" uid 1
set user "nick" ike-id fqdn "nick" share-limit 1
set user "nick" type ike
set user "nick" "enable"
set ike p1-proposal "ToVodafoneFirewall" preshare group1 esp des md5 second 86400
set ike p2-proposal "ToVodafoneFirewall" group1 esp des md5 second 86400 kbyte 4194302
set ike gateway "To Vodafone" address 212.xxx.xxx.35 Main outgoing-interface "ethernet3" preshare "xxx" proposal "ToVodafoneFirewall"
set ike gateway "To Vodafone" cert peer-ca all
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Vodafone VPN" gateway "To Vodafone" no-replay tunnel idletime 0 proposal "ToVodafoneFirewall"
set vpn "Vodafone VPN" monitor
set vpn "Vodafone VPN" id 31 bind interface tunnel.2
set vpn-group id 1
set url protocol type sc-cpa
set url type netscreen
set url fail-mode permit
set url protocol sc-cpa
exit
set policy id 21 from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.40)" "ANY" permit url-filter
set policy id 21
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit url-filter
set policy id 1
exit
set policy id 3 from "DMZ" to "Trust" "Any" "Any" "ANY" permit url-filter
set policy id 3
exit
set policy id 4 from "Trust" to "DMZ" "Any" "Any" "ANY" permit url-filter
set policy id 4
exit
set policy id 7 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit url-filter
set policy id 7
exit
set policy id 8 name "External to MHE03" from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.43)" "ANY" permit
set policy id 8
exit
set policy id 10 from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.42)" "ANY" permit
set policy id 10
exit
set policy id 12 name "MHE03 31" from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.60)" "ANY" permit
set policy id 12
exit
set policy id 13 name "MHE02 40" from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.41)" "ANY" permit
set policy id 13
exit
set policy id 16 name "MHE01 12" from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.44)" "ANY" permit
set policy id 16
exit
set policy id 17 from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.37)" "ANY" permit
set policy id 17
exit
set policy id 22 from "Untrust" to "Trust" "Any" "Any" "ANY" permit url-filter
set policy id 22
exit
set policy id 36 from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.38)" "ANY" permit
set policy id 36
exit
set policy id 41 from "Untrust" to "Trust" "Any" "MIP(82.xxx.xxx.39)" "ANY" permit
set policy id 41
exit
set policy id 42 from "VPN Zone" to "Trust" "Any" "Internal Network #1" "ANY" permit
set policy id 42
exit
set policy id 43 from "VPN Zone" to "Untrust" "Any" "Vodafone Handset Range #1" "ANY" permit
set policy id 43
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ssl port 4443
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.10.1.0/24 interface tunnel.2
set route 10.10.2.0/24 interface tunnel.2
set route 212.xxx.xxx.35/32 interface tunnel.2
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

[Packet7]

Hi,

Since all your zones are bound to your trust-vr, I would do the same with the VPN zone.

Rgds,

John

 

[nkew]

Hi John,

I made that change and also set tunnel.2 to unnumbered interface (Ethernet-3 Untrust)

I then re-created the two policies

VPN Zone To Untrust
VPN Zone To Trust

I also re-added my two static routes (remote networks)

10.10.1.0
10.10.2.0

through the tunnel.

I can't seem to establish a connection to 10.10.1.1 (my test loopback address)

Have I missed something obvious?

Nick

 

[nkew]

I should point out the following error message on the Netscreen also...

Vodafone end...

IKE<212.xxx.xxx.35> Phase 1: Retransmission limit has been reached.

 

[Packet7]

I can help you debug the VPN. Do you have access to the CLI on your Firewall? If so, try the following commands and upload the output.

get int tun.2
get ike cookie
get sa
get event (few pages should do it)
debug ike all
clear db

ping vpn clients from your pc

undebug all
get db str

I will take a look when you are done.

Rgds,

John