Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linsksys Dynamic Netscreen Static 1

Status
Not open for further replies.

nobeta

MIS
Jul 8, 2002
52
US
Am trying to get a vpn between the Netscreen 25 and the Linksys BEFVP41. The Netscreen has a Static IP address and the Linksys is Dynamic. If I use the Static option in the Netscreen configuration, and enter the ip address of Linksys I can establish the tunnel. However, if I try to establish this tunnel with Dyanmic setup on Netscreen using Dynamic IP Adresss and Peer Id it is not successful. I have worked with Netscreen Support for three days with three different techs and they have verified my configuration is correct. They are basically throwing the problem to Linksys at this point. I was wondering if anyone has been able to get this to work. Linksys Dynamic and the Netscreen Static.
Thanks for all replys
 
Is there a way in the VPN setup of the Linksys appliance to establish a Local ID? In order for your VPN to be established you need to have the either a manual key and Local ID or preshare key and Local ID. Without one or the other you will not be able to tunnel. Check your event logs and do an ike debug detail. Be sure to clear your dbuf stream first or you will be looking at days and days of debug info.

Paul
 
Thanks for the reply.
My setup is with preshared key and local Id. Linksys has what they call a "username". This supposedly equates to the Netscreen Local ID, however, it appears there may be some differences in the way Netscreen and Linksys use this ID. For instance, the Netscreen supposedly accepts an email address, IP address, or fully qualified domain name for this field. The only info I can find on what the Linksys expects here is as follows "The Username is used to connect to special third-party device (e.g. SonicWALL) which requires the use of Aggressive mode and username. For example, if you are using SonicWALL device as remote gateway which IPSec Gateway Address has been configured as 0.0.0.0, you should select Aggressive mode and configure Username which matched with the SonicWALL's IPSec SA Name.
I have not yet tried the debug myself, but did run one with the Netscreen techs. I will give it a shot.

 
Post the debug stream here and I will look at it. Make sure your presh.are key is CASE-SENSITIVE. Also, are you doing a static IP to dynamic IP VPN or static to static?

Paul
 
If you are not expecting constant changes in your setup, you might want to consider a "manual key" setup. It's simpler to setup in my book and easier to troubleshoot.

It will help to solve your "username/local ID issue.

We have manual key vpns running from Netscreen to both a Linksys and Netopia dynamic IP firewalls with success.

I'm assuming that either way, since you have a dynamic IP for the Linksys, you are setting it up as a "dialup user" on the Netscreen.

Dana
 
penarouth
The linsys is dynamic and the netscreen is static. I can get it to work when both are static. It's when the linksys is dynamic that it does not work. We have some locations that are dynamic, some static, and are trying to get this working both ways. When I get the debug I will post it here.

dmandell
Actually in Screen OS 3.0.3r5.1 (our current os) on the Netscreen 25, there are three options for setting up the Remote Tunnel Gateway Configuration, Static, Dynamic, and Dial-Up. I have been attempting to set this up using the Dynamic option, although I did try this using Dial-Up option as well (No Luck). However, I am not opposed to a Manual Key solution that you have mentioned. How do you set up the Manual Key using Dynamic Ip? It seems to require an IP address for the remote gateway ("Gateway IP")? Since this would be a dynamic IP in our case (the Linksys) I cannot enter one. I am assuming that this is for static only? It will not accept 0.0.0.0. If I could get this to work that would be totally acceptable.

Again, thanks to both of you for your assistance.
 
Yes,
when you set up the netscreen with a dynamic address for the remote tunnel gateway, one needs to set it up a little differently that is not completely intuitive the first time out.

I have to tell you that there is a caveat when setting it up this way. Althought the VPN tunel is bi-directional once opened, the tunnel must always be established from the dynamic gateway side of the tunnel.

e.g. lets say you have your NS-25 at your company office and the Linksys at a user's home. The company office (being a business) has a Static address. The home user, (having cheap "home quality" service) has a dynamic IP.

Once the VPN is setup, the user from home will be able to access the network at work and get access to files, computers, etc. But, if the user comes into work, he will not be able to start a tunnel to his computer at home because the remote gateway address at home is dynamic.

If this is a problem for your current needs, using Auth-IKE will not solve this. I don't know if Netscreen made this clear to you. If this will work for you, let me know, and I can help you with some of the setup steps.

I hope this helps,
Dana
 
This setup will work out fine for us since basically it is for remote locations (they have linksys and dynamic ip addreses) to access our main branch ( netscreen 25 and static ip). Do you have the linksys router set up as a Manual Key Dial-UP user on the Netscreen? Any inforomation on you configuration is greatly appreciated.
 
Yes, that is exactly how we have it setup.
Here are the basic steps. If you need more specific info, let me know. I'm doing this from memory, because we are now using v4 which sets up differently.

1. Create a Manual Key User group. (call it "remote office users" or anything you want) I think v3 calls it a dial-up user group.

2.Create a Manual key user. (dial-up user)
a. Add to your "remote office users" group
b. you can simplify by using the same SPI for local and remote
c. The default setup I used was ESP, 3DES, MD-5 (SHA-1 is a little better)
d. I used Generate key by password to save time.
e. After you save the settings, go back and "edit" the user you created to be sure you see the HEX key boxes filled in.
note- If you now tick "hex key, it will remove the plain text password from your config file. (A good idea, if you store your config somewhere on the network for safe keeping)

3. create a VPN policy
a. Source address - select Dial-up VPN
b. Destination address - select your trusted internal LAN to which you want them to have access
c. Service - Any (or your own definition)
d. Action - Tunnel (or VPN on older OS versions)
e. Tunnel (VPN) - select the Dial-up user group you created.
f. move the policy to the top.

I think that is about it.
Once you have this working, all you need to do after this for a new connection is create new "dial-up users for each new connection and add them to the "remote office" dial-up user group.

I hope this helps,
Dana
 
This part I have set up with no problem. The problem I think is how this is translating to the Linksys. Here is what I have:

Security Index on Netscreen: 3001 (Local) 3001 (Remote)
This translates to on Linksys Inbound SPI 3001 and Outbound SPI 3001. If I try to connect from the dynamic side it does not connect and the Netscreen Log reports &quot;>: Received a bad SPI <00000bb9>, whick is the decimal 3001 converted to HEX. Do I need to convert these numbers from hex to decimal or vice versa before I copy them to the linksys?

Also after I generate the encrytion and authentication algorythym keys, how do you transfer these values to the Linksys? The netscreen has two and three fields, respectively, for these keys and the Linsksy only has one field for each key and a character limit of 20. Do I only need to copy the key from the first field?

I have been trying all kinds of combinations here and have been unsuccessful as of yet. Thanks as always.
 
Yes, you are correct, I completely forgot that you do need to put the SPI in HEX on the linksys.

Accordng to Linksys, this field length issue is a bug that was fixed in the next firmware release for the BEFVP41. Call Linksys at (800) 326-7114 and they should be able to help you get the update. (or visit the website?)

Yes, you will need to cut and paste the encryption and authentication keys into the Linksys.

I hope this helps.
Dana
 
I have put the SPI in hex on the Linksys, same result. I am on the latest version of firmware. I called Linksys support and they told me that the Linksy only supports 20 alphanumeric characters for the keys. The Netscreen requires a minimum of 24. Sorry, but I do not see how this can work.
 
I don't either, that's the stupidest thing I have ever heard. (we are not using a BEFVP41 but an older model) But I read that Linksys knew about this issue with the BEFVP41 in March of 2002 and had a fix planned. I am sorry to hear that they are still not in compliance with current ipsec specification. That really sucks.

We have our corporate firewall Netscreen with VPNs working mainly to NS-5 and a few Netopia, and one linksys using DES instead of 3DES.

My understanding is that this in not an issue with IKE, so it really means you are back to trying to get IKE to work. I'm really sorry to have side tracked you on this. It should have been a piece of cake. (but I'm sure you said that about the auto-IKE setup too.)

Back to your IKE
As far as the username is concerned, if you set the netscreen to &quot;email address&quot; it really accepts any text string. (I don't suppose the Linksys wants this in HEX too?)

I would still try to target getting it to work with the Linksys considered as a &quot;dial-up&quot; user on the netscreen configuration.

Good luck,
(I don't know if I have helped you all all at this point.)

Dana


 
nobeta,

go to they have certified netscreen professionals that might be able to help you. Whenever I am in trouble I go there. Better than netscreen tech support. Good luck.

Paul
 
Hello Again,
I just wanted to say thanks to dmandell and penarouth for your respose on this issue. Although I haven't resolve the Linksys issue, I did learn a a lot from your suggestions. Penarouth, I still want to do that debug when I get time but it has been hard to find lately. I thought I would let you both know that I gave up on the Linksys and tested a Netgear FVS318, which I did get to work using IKE and agrressive mode. I tried to get the company to go for the Netscreen 5, but no luck. (That would have been too easy)
But thanks to you both again, and if you ever need to set up a Netscreen to Netgear dynamic let me know.
 
Well in NS25 you can assign an Dynamic DNS Name in static gateway intead of an IP, the NS25 will resolve it to the right IP adress, and then in the Linksys if get this right you just tel it to use its IP adress as an identifier, and that the gateway there to is static, so static gateway IP on both ends solved the problem for me.
 
I am setting up a VPN between the netgear and a netscreen 5xp. Please kindly forward your settings to hoot105@hotmail.com or post them here. Thank you in advance. In my setup I have the netgear on a dynamic IP and the netscreen with a static IP. The netscreen log says &quot;unrecognized peer gateway&quot;. This is with the IPSec Identifier's set.
 
Check that the peer ID field on the netscreen matches the local ipsec identifier field on the netgear. Be aware that with this type of setup you will only be able to initiate the tunnel from the dynamic Ip address, in your case from the netgear.
I changed my dynamic vpns to use Dynamic DNS and then configure them as Static VPNS using the Dynamic DNS name for the IP Address/Hostname field on the Netscreen. This allows you to initiate the tunnel from either side of the VPN and has worked well. You can regeister for Dynamic DNS using the Netgear by going to the Dynamic DNS Screen, and clicking on the click here for information link. Set up your account (its free for 5 addresses) and then put your account info into the Netgear.
 
IKE<IP Address>: Received incorrect ID payload: ID type mismatch. The Peer ID and the local ipsec identifier fields are the same. Do you know how to actually see what the netscreen gets when the netgear initiates the tunnel? Thanks!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top