Netscreen Nightmare! How do I set up VPN 4 Dialup Users?!

[valleysupply]

I really need some pro help. I am a newbie when it comes to Netscreen's and VPN's in general. I get a little bit of the concept, but not enough to set up the darn VPN from my laptop (dialed up) to my netscreen at work. I am supposed to get this up and running ASAP but I haven't a clue what I'm doing. Can anyone please point me to anywhere that I can find some sort of HowTo or something? I already tried following some doc I found on Netscreen's site "Windows 2000 Remote VPN to Netscreen using L2TP over IPSec" but with no avail. All the stupid CA stuff is way over my head.

SOMEONE PLEASE HELP!!!!

 

[valleysupply]

By the way, it is a Netscreen 50 running OS4

 

[Packet7]

Hello,

Do you have any objections to using the Netscreen VPN client? I might be able to help you. Never used the Windows VPN client, so let me know.

Also, does your Netscreen obtain it's policy from a Global Pro, or do you make changes from the CLI or WebUI?

Let me know.

Rgds,

John

 

[Njetscreamer]

Dude,

you may wanna check out the following.

if you are running 4.0.3rx or later the following is a neat little implementation. Go to netscren.com and hover over services, select netscreens knowledgebase and search on knowledgebase article ID nskb5202 this is a step by step.

Alternatively check out the following, under resources, manuals and screenos. Go to the bottom of the page and you will see a link for archived manuals. Here you will find the concept and examples guides, you will want volume 4. In this document you will find information on setting up a dialup vpn.

Hope this helps.

regards

Njetscreamer

 

[valleysupply]

I have no objections to using the NS VPN client, it really doesnt matter to me, as long as I can get it set up and running to get the boss off my back.

Thanks

 

[Packet7]

OK, cool. Setup your VPN tunnel and download the VPN client from the Netscreen site. Also, search the NS site to find the latest walk through. If you like, list what parts that you don't understand or unable to resolve, and we will try and walk you through it.

Rgds,

John

 

[valleysupply]

Ok, heres the deal. I went through the walk-thru that came with the NS Remote software I have here. I got the thing to connect correctly, but I really dont like using the NS Remote software, because most of the stuff we need to do uses DNS. Also, the NS Remote kept dropping the connection and I couldnt even get connected to anything on the inside. I had the little key in the NS Remote icon in the system tray, but nothing really worked. I could ping accross the network, but couldnt get to my intranet site, or the Terminal Server inside the network. I was on a cable internet connection when I tried to do this, so it couldnt be that it was just too slow. I could ping things inside the network, but that was basically it. I'm really getting fed up with this thing because I've been trying to get it working for the past month or so. Any ideas?

 

[Packet7]

Hello,

Our you assigning a NAT Pool to your NSR clients? If so, does the VA (Virtual Adapter) get built? Check the VA settings for DNS.

Also, what version of the Netscreen OS are you using? What services are permitted through your VPN rule?

I am guessing that your LAN DNS settings are not being assigned via the VA. Tould allow PINGS to get through, but nothing else. Check your ipconfig/all on the client after autheticating. Do you are a Virtual Adapter?

Rgds,

John

 

[valleysupply]

Dont know about the NAT Pool, VA im guessing is supposed to be built by NSR when the connection is made, yes? I am running NSOS v4.0.0r10.0. All services are allowed thru the VPN on the NS50 side.

 

[Packet7]

Hello,

Sounds like you don't have a NAT Pool at all. Try the following:

- Login via the WebUI
- Objects, IP Pools
- New, create the NAT Pool (i.e. 192.168.1.1 - 192.168.1.200) (OK)
- VPNs, AutoKey Advanced, Gateway, Edit VPN GW, Advanced
- Check Enable XAuth and Use Default, click Return, OK
- VPNs, XAuth Settings
- Set miunutes to 480, Auth Server to Local, Select the name of your new IP Pool name from the drop down, assign your LAN DNS and WINS addresses, Apply, OK

With this in place, your NSR clients should build a VA and obtain DNS/WINS addresses. This should allow the services you desire. Also, depending on your LAN/WAN, you may need to add the NAT Pool subnet to your WAN Routing table. This should be advertised across all edge routers with the next hop of your E1 IP on the NS.

Hope this helps.

Rgds,

John

 

[valleysupply]

John --

I have NAT Transversal enabled, should I have this enabled?

Do I need to add a route for the IP pool so it can get to the LAN? or does the NS automatically NAT out the Dialup VPN users for the LAN? (is this what NAT Transversal does?)

I wont have a chance to test this until tonight, so I'm trying to get everything config'd correctly before I go home.

Thanks!

Jon

 

[Packet7]

Hey V,

The NAT-T is needed when remote VPN clients are behind NAT devices. This allows for the Firewall to utilize UDP to pass IPSEC traffic allowing the tunnel to be built.

Once the NAT Pool is added, you will be able to traverse into the trusted side of your NS via the policy. If your LAN is a stub, no other routing should be required. If you're on a WAN or your NS is not the default GW in and out of the office, you might need to advertise the NAT pool subnet on your internal routers. You would simply next hop to the internal IP of your NS.

Does this help? Sorry for the delay...

Rgds,

John

 

[valleysupply]

John,

Okay, basically, the whole XAuth and VA thing doesnt seem to be working. When I have XAuth enabled on the GW, NSR wont connect at all. It tells me "Message not recieved! Retransmitting!" and the NS logs say "Phase 1: Rejected proposals from peer. Negotiations failed." When I turn it back off, it will connect fine (but still no VA). If I enable XAuth just on the user, the thing still connects fine, but I still dont get a VA. (The VA should show up if I do an "ipconfig /all" right?) So, I dont know what I'm doing wrong, but its really starting to frustrate me.

 

[Packet7]

Hey,
Do you have user accounts with passwords configured on the local NS? Also, is the XAuth server pointing locally?

What version of the NSR client are you running?

Can you paste your config? Access your trusted IP voa Telnet and paste below. xxx out any sensitive data, passwords, IP etc...

Rgds,

John

 

[valleysupply]

Yes, I have the user accounts w/ passwd's config'd on the local NS (I'm pretty sure). XAuth is pointing locally. I am running NSR 8.0.0 (Build 14). "jklein" is the username I am connecting with. I tried to pick out and highlight in bold the most important sections for ya.

Here's the config...

set auth-server "Local" id 0
set auth-server "Local" timeout 0
set auth-server "Local" server-name "Local"
set auth-server "Valley IAS" id 2
set auth-server "Valley IAS" server-name "172.16.16.2"
set auth-server "Valley IAS" account-type xauth
set auth-server "Valley IAS" secret "xxxxxxxx"
set auth default auth server "Local"
set clock "timezone" -5
set admin format dos
set admin name "administrator"
set admin password nP9mOfrgBiXLcxELRspKeaItpfCPbn
set admin mail alert
set admin mail server-name valley
set admin mail mail-addr1 jklein@xxxxxxxxxxx.com
set admin mail mail-addr2 aklein@xxxxxxxxxxx.com
set admin mail traffic-log
set admin auth timeout 0
set admin auth server "Local"
unset admin hw-reset
set service "Terminal Services" protocol tcp src-port 0-65535 dst-port 3389-3389 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
------------------------------------------------
took out security set zones to make post shorter
------------------------------------------------
set interface ethernet3 phy full 100mb
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 172.16.16.254/24
set interface ethernet1 route
set interface ethernet2 ip 192.168.25.1/30
set interface ethernet2 route
set interface ethernet3 ip x.x.x.x/28
set interface ethernet3 route
set interface ethernet3 gateway x.x.x.x
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 manage telnet
set interface ethernet3 manage web
set interface "ethernet3" mip x.x.x.x host 172.16.16.2 netmask 255.255.255.255 vr "trust-vr"
set interface ethernet3 dip 4 x.x.x.x x.x.x.x
set domain xxxxxxxxxxxxxx.com
set hostname ns50_valley
set ntp server 128.227.205.3
set address "Trust" "172.16.16.0" 172.16.16.0 255.255.255.0
set address "Trust" "x.x.x.x/24" x.x.x.x 255.255.255.0
set address "DMZ" "BOB" 172.16.48.0 255.255.255.0 "Balitmore MD"
set address "DMZ" "BOL" 172.16.85.0 255.255.255.0 "Ephrata PA"
set address "DMZ" "DVBH" 172.16.30.0 255.255.255.0 "Hatboro PA"
set address "DMZ" "DVBK" 172.16.102.0 255.255.255.0 "King of Prussia PA"
set address "DMZ" "VSEB" 172.16.64.0 255.255.255.0 "Balitmore MD"
set address "DMZ" "VSEL" 172.16.20.0 255.255.255.0 "Leitersburg MD"
set address "DMZ" "VSEM" 172.16.94.0 255.255.255.0 "Manassas VA"
set address "DMZ" "VSER" 172.16.35.0 255.255.255.0 "Rockville VA"
set snmp name "ns50_valley"
set group address "DMZ" "Remote Sites" comment " "
set group address "DMZ" "Remote Sites" add "BOB"
set group address "DMZ" "Remote Sites" add "BOL"
set group address "DMZ" "Remote Sites" add "DVBH"
set group address "DMZ" "Remote Sites" add "DVBK"
set group address "DMZ" "Remote Sites" add "VSEB"
set group address "DMZ" "Remote Sites" add "VSEL"
set group address "DMZ" "Remote Sites" add "VSEM"
set group address "DMZ" "Remote Sites" add "VSER"
set group service "web services"
set group service "web services" add "MAIL"
set group service "web services" add "HTTP"
set ippool "Dialup Users" 192.168.1.1 192.168.1.100
set user "jklein" uid 2
set user "jklein" ike-id u-fqdn "jklein@valley" share-limit 1
set user "jklein" type ike
set user "jklein" password "xxxxxx"
unset user "jklein" type auth
set user "jklein" "enable"
set user "aklein" uid 3
set user "aklein" ike-id u-fqdn "aklein@valley" share-limit 1
set user "aklein" type ike
set user "aklein" "enable"
set user-group "ALL" id 2
set user-group "ALL" location external
set user-group "ALL" type xauth
set user-group "RemoteUsers" id 1
set user-group "RemoteUsers" user "aklein"
set user-group "RemoteUsers" user "jklein"
set ike gateway "gtwy_dialup" dialup "RemoteUsers" Aggr outgoing-interface "ethernet3" preshare "xxxxxxxx" proposal "pre-g2-des-sha"
unset ike gateway "gtwy_dialup" nat-traversal udp-checksum
set ike gateway "gtwy_dialup" nat-traversal keepalive-frequency 5
set ike gateway "gtwy_dialup" xauth server "Local"
set ike policy-checking
set ike respond-bad-spi 1
set vpn "ike_valley" id 2 gateway "gtwy_dialup" replay tunnel idletime 0 proposal "g2-esp-des-sha"
set ike id-mode subnet
set xauth lifetime 480
set xauth default ippool "Dialup Users"
set xauth default dns1 172.16.16.2
set xauth default auth server Local
set l2tp default dns1 172.16.16.2
set policy id 25 name "Valley Web Serv" from "Untrust" to "Trust" "Any" "MIP(x.x.x.x)" "web services" Permit
set policy id 22 from "Untrust" to "Trust" "Any" "MIP(x.x.x.x)" "Terminal Services" Permit
set policy id 22 disable
set policy id 24 from "Untrust" to "Trust" "Dial-Up VPN" "172.16.16.0" "ANY" Tunnel vpn "ike_valley" id 9 log
set policy id 0 from "Trust" to "Untrust" "Any" "Any" "ANY" nat dip-id 2 Permit log
set policy id 12 from "DMZ" to "Trust" "Remote Sites" "172.16.16.0" "ANY" Permit log
set policy id 13 name "Remote Sites NAT" from "DMZ" to "Untrust" "Remote Sites" "Any" "ANY" nat dip-id 2 Permit log
set policy id 16 from "Trust" to "DMZ" "172.16.16.0" "Remote Sites" "ANY" Permit log
set policy id 19 from "Untrust" to "Trust" "Any" "Any" "ANY" Deny log
set policy id 20 from "DMZ" to "Trust" "Any" "Any" "ANY" Deny log
unset global-pro policy-manager primary outgoing-interface
unset global-pro policy-manager secondary outgoing-interface
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn state-name "Maryland"
set pki x509 dn local-name "Washington"
set pki x509 dn org-name "xxxxxxxxxxxxxxxxx"
set pki x509 dn org-unit-name "IT"
set pki x509 dn name "Jon Klein"
set pki x509 dn phone "XXX-XXX-XXXX"
set pki x509 dn email "jklein@xxxxxxxxxxx.com"
set pki x509 dn ip "x.x.x.x"
set pki x509 default send-to "jklein@xxxxxxxxxxxxxx.com"
set dns host dns1 198.6.1.3
set dns host dns2 172.16.16.2
set dns host schedule 00:00
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 172.16.30.0/24 interface ethernet2 gateway 192.168.25.2
set route 172.16.48.0/24 interface ethernet2 gateway 192.168.25.2
set route 172.16.102.0/24 interface ethernet2 gateway 192.168.25.2
set route 172.16.94.0/24 interface ethernet2 gateway 192.168.25.2
set route 172.16.64.0/24 interface ethernet2 gateway 192.168.25.2
set route 172.16.20.0/24 interface ethernet2 gateway 192.168.25.2
set route 172.16.85.0/24 interface ethernet2 gateway 192.168.25.2
set route 172.16.35.0/24 interface ethernet2 gateway 192.168.25.2
exit


Thanks again for your continued assistance with this. I hope we can finally figure this out so I dont end up like this:


Stupid Netscreen....GRR!!

 

[Packet7]

Hey,

Sorry for the delay. Most of your settings look OK, and I have compared your config to one of our offices that use Pre-Shared local accounts. I think you need to "jklein@valley" as the username. give it a try and let me know.

Rgds,

John

 

[valleysupply]

John,

Over the Easter holiday, I tried changing the logon name to jklein@valley and still to no avail. Any other ideas or anyhting??

Thanks a lot for all your contiued help, etc.

 

[Packet7]

Next, you can open up the Log Viewer on the NSR client. This should show you if Phase 1 is being passed. Do you get an IKE cookie?

If you like, paste the contents of an entire NSR client attempt from the login view and I will check it out.



Rgds,

John

 

[valleysupply]

Nope, no Phase 1 proposal is passing at all. It just says "Message not received!! Resending" or something like that.