NS50 VPN problems

[defjab]

Ok, I'll admit my experience with VPNs is limited at best but here it goes:
We have a NS50 and many users can not connect. Some users can, and those that can are type IKE,Xauth. I go to edit my user (who can not login) and find that I can not edit him because he is "in use". In fact all users are "in use", but I know this to be a fallacy, because i Know none of the users are trying to get in today. That being said, I use the remote client, I can make a connection, but then I am unable to access my remote resources. My experience has been that you are assigned an IP address used within that remote network, but that might not be how this product works. So my questions are this:

1) Will changing my user to the Xauth,IKE type allow me to login from home
2) Why are all my Local Users "In Use"?

Thanks
Matt

 

[Njetscreamer]

Matt,

there are a host of potential problems here.

First off you need to be fairly clear on what you are trying to get running.
You mention xauth and ike as the type for the user. In my experience with netscreen ou shouldn't have both.

The easiest and most hassle free setup you could do is described in article id nskb5202 or if you search under shared ike vpn. It sounds to me like this is what you are trying to get running (single policy and vpn for many users).
The reason that the users are 'in use' will be because they are grouped, once the group is assigned to a p1 for a vpn it too will be 'in use' etc. Netscreen is very hierarchical like that.

I doubt that the problem is regarding ike/xauth user types.

What you need to verify is/are the following.

1) Do you dialup users complete authentication and P1 proposals (you'l see this on the home page)
2) do the users complete phase 2

If the answer to both of the above is yes then check with a 'get sa active' from the command line that the status (STA) of the tunnel giving you problems is A/x (please note on dialup tunnels never enable vpn monitoring, it won't work this is netscreen to netscreen lan to lan prorietary).

If you see 2 entries for the dialup vpn and both are active then try pinging the internal ip address of the netscreen (the trust intrerface ip or the manage ip thereof if it differs)

If you get a response on this but not past the netscreen then you can enable NAT on the inbound dialup policy.

The reasons for this causing issues is that some ISP's do some internal natting which messes up the return path.

Also you can check using the connection monitor if NS-Remote is even sending encrypted data out.

Hope this points you in the right direction.

Kind regards

Njetscreamer

 

[defjab]

Ok things are bizzare. I took an SPD file of a ocnnection I know works and i tried it on my home PC. I cant even get past pahse one, so it's not talkign to the VPN. I can ping it from home, so im thinking the port must be blocked. I tried plugging in directly to my cable modem but my pc couldn't get an IP. I digress, in any case all is says is :
1-06: 19:38:31.531
1-06: 19:38:31.531 My Connections\JMH - Initiating IKE Phase 1 (IP ADDR=xx.xxx.xxx.xxx)
1-06: 19:38:31.609 My Connections\JMH - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
1-06: 19:38:47.500 My Connections\JMH - message not received! Retransmitting!
1-06: 19:38:47.500 My Connections\JMH - SENDING>>>> ISAKMP OAK AG (Retransmission)
1-06: 19:38:47.500 My Connections\JMH - message not received! Retransmitting!
1-06: 19:38:47.500 My Connections\JMH - SENDING>>>> ISAKMP OAK AG (Retransmission) 1-06: 19:38:47.500 My Connections\JMH - message not received! Retransmitting!
1-06: 19:38:47.500 My Connections\JMH - SENDING>>>> ISAKMP OAK AG (Retransmission) 1-06: 19:38:47.500 My Connections\JMH - message not received! Retransmitting!
1-06: 19:38:47.500 My Connections\JMH - SENDING>>>> ISAKMP OAK AG (Retransmission)


And then stops. So I talked to COmcast (ISP) they said port isn't blocked (1732). Tried turning on port forwarding on my router and disabled fire walls....any thing else I can try or is this a lost cause?

Thanks
M

 

[Njetscreamer]

Defjab,
sorry for the lag m8, hectic life i lead I am afraid.
The port you need to have open is UDP 500 , in addition to this you need protocol 50, of protocol 51 depending on if you are using AH or ESP.
Now the debug you have up there only tells you that NS-Remote is sending packets but not getting a response. What you need to check is if the packets are arriving at the netscreen and what it is doing with them if it is.

If you set yourself up with SCS/SSH access on your untrusted port of the netscreen you can ssh into the box's command line and do the following.
If possible capture it using putty or something .


NS>set ff src-ip a.b.c.d (your live ip at the time)
NS>debug ike basic
NS>clear db
NS>set console page 0

now try to connect and when this fails capture the output of
NS>get db str

this will show you what is going on if anything. Also on the home screen you will see on the bottom rigt the P1 packets coming in and it'l let you know why its not accepting it. However there is a lot more detail in the debug.

When you're done

NS>undebug all
NS>unset ff
NS>clear db
NS>set console page 10
NS>exit

Kind regards

Njetscreamer

 

[defjab]

here it is. there was a bit at the space, but I beilieve it was related to a legit tunnel we have with a nother facility, and I wouldn't want them being comprimised : )

JMH-ns50-> get db str
## 18:53:10 : IKE<MY.......IP > ****** Recv packet if <ethernet3> of vsys <Root> ******
## 18:53:10 : IKE<MY.......IP > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 18:53:10 : IKE<MY.......IP > Process [VID]:
## 18:53:10 : IKE<MY.......IP > Process [VID]:
## 18:53:10 : IKE<MY.......IP > Process [VID]:
## 18:53:10 : IKE<MY.......IP > Process [VID]:
## 18:53:10 : IKE<MY.......IP > Process [VID]:
## 18:53:10 : IKE<MY.......IP > rcv non-NAT-Traversal VID payload.
## 18:53:10 : IKE<MY.......IP > Process [SA]:
## 18:53:10 : IKE<MY.......IP > Phase 1: Rejected proposals from peer. Negotiations failed.
## 18:53:10 : IKE<MY.......IP > Construct ISAKMP header.
## 18:53:10 : IKE<MY.......IP > Construct [NOTIF]NO_PROPOSAL_CHOSEN)
## 18:53:10 : IKE<MY.......IP > Xmit : [NOTIF]
## 18:53:10 : IKE<MY.......IP > Error send packet

## 18:53:19 : IKE<0.0.0.0 > get_sa_state_by_spi failed for type<2>, spi<00001125>, ip<65.215.112.84>
## 18:53:25 : IKE<MY.......IP > ****** Recv packet if <ethernet3> of vsys <Root> ******
## 18:53:25 : IKE<MY.......IP > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 18:53:25 : IKE<MY.......IP > Process [VID]:
## 18:53:25 : IKE<MY.......IP > Process [VID]:
## 18:53:25 : IKE<MY.......IP > Process [VID]:
## 18:53:25 : IKE<MY.......IP > Process [VID]:
## 18:53:25 : IKE<MY.......IP > Process [VID]:
## 18:53:25 : IKE<MY.......IP > rcv non-NAT-Traversal VID payload.
## 18:53:25 : IKE<MY.......IP > Process [SA]:
## 18:53:25 : IKE<MY.......IP > Phase 1: Rejected proposals from peer. Negotiations failed.
## 18:53:25 : IKE<MY.......IP > Construct ISAKMP header.
## 18:53:25 : IKE<MY.......IP > Construct [NOTIF]NO_PROPOSAL_CHOSEN)
## 18:53:25 : IKE<MY.......IP > Xmit : [NOTIF]
## 18:53:25 : IKE<MY.......IP > Error send packet
## 18:53:40 : IKE<MY.......IP > ****** Recv packet if <ethernet3> of vsys <Root> ******
## 18:53:40 : IKE<MY.......IP > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 18:53:40 : IKE<MY.......IP > Process [VID]:
## 18:53:40 : IKE<MY.......IP > Process [VID]:
## 18:53:40 : IKE<MY.......IP > Process [VID]:
## 18:53:40 : IKE<MY.......IP > Process [VID]:
## 18:53:40 : IKE<MY.......IP > Process [VID]:
## 18:53:40 : IKE<MY.......IP > rcv non-NAT-Traversal VID payload.
## 18:53:40 : IKE<MY.......IP > Process [SA]:
## 18:53:40 : IKE<MY.......IP > Phase 1: Rejected proposals from peer. Negotiations failed.
## 18:53:40 : IKE<MY.......IP > Construct ISAKMP header.
## 18:53:40 : IKE<MY.......IP > Construct [NOTIF]NO_PROPOSAL_CHOSEN)
## 18:53:40 : IKE<MY.......IP > Xmit : [NOTIF]
## 18:53:40 : IKE<MY.......IP > Error send packet
## 18:53:55 : IKE<MY.......IP > ****** Recv packet if <ethernet3> of vsys <Root> ******
## 18:53:55 : IKE<MY.......IP > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 18:53:55 : IKE<MY.......IP > Process [VID]:
## 18:53:55 : IKE<MY.......IP > Process [VID]:
## 18:53:55 : IKE<MY.......IP > Process [VID]:
## 18:53:55 : IKE<MY.......IP > Process [VID]:
## 18:53:55 : IKE<MY.......IP > Process [VID]:
## 18:53:55 : IKE<MY.......IP > rcv non-NAT-Traversal VID payload.
## 18:53:55 : IKE<MY.......IP > Process [SA]:
## 18:53:55 : IKE<MY.......IP > Phase 1: Rejected proposals from peer. Negotiations failed.
## 18:53:55 : IKE<MY.......IP > Construct ISAKMP header.
## 18:53:55 : IKE<MY.......IP > Construct [NOTIF]NO_PROPOSAL_CHOSEN)
## 18:53:55 : IKE<MY.......IP > Xmit : [NOTIF]
## 18:53:55 : IKE<MY.......IP > Error send packet

 

[Njetscreamer]

Defjab,

Phase 1: Rejected proposals from peer. Negotiations failed

double check that the VPN you are debugging has the same proposals selected on both sides.
Also verify that the pre-shared key is the same on both sides.

other than that it ought to connect o.k.

If you get a similar message on P2 then you know what to do.

If you get a 'No policy exists for the proxy id received' error on P2 check the policies and make sure that the ip and subnet of both source and destination matches on both sides.

have a look into the P1 error and drop me a note if you are still running into problems.

What type of VPN is this, Lan to Lan or dialup.

Kind regards

Njetscreamer

 

[defjab]

Im going from my home cable modem to a corp lan. Dialup isn't used. Thing is they SHOULD be the same because this is set-up by company we pay to manage our VPN...figures...Ill look into it tomorrow and post back