Outbound client-originated VPN from trusted network

[ShackDaddy]

If I want to allow an internal workstation to be able to use an IPSEC Juniper VPN client to an external host, what do I need to get set up? I've already allowed PPTP and L2TP inspections, but this still isn't working.

Currently I have outside PPTP connections allowed inbound to a Windows server, and that's working fine.

Dave Shackelford MVP
ThirdTier.net

 

[North323]

you need to pass source and destination UDP ports 500 and 4500, unless you don't use TCP for IPSec...UDP is default. Also, esp and ah traffic must be passed trough and add isakmp nat-traversal command to the config

 

[ShackDaddy]

So if I'm already allowing everything outbound, do I just need to add isakmp nat-traversal then?

Dave Shackelford MVP
ThirdTier.net

 

[Supergrrover]

Yes, but their end needs to support it as well.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ShackDaddy]

In this situation, VPN was working fine with a different local LinkSys firewall, but broken after the ASA install, so I'm guessing nothing would need to be done on the other end.

Dave Shackelford MVP
ThirdTier.net

 

[ShackDaddy]

Didn't work. Here's what I got back in the Juniper client log:

3-17: 16:04:54.125 This is a GA version of NetScreen-Remote.
3-17: 16:04:54.203 Filter table loaded (2 entries).
3-17: 16:05:02.797
3-17: 16:05:02.797 My Connections\ATHATD01 - Initiating IKE Phase 1 (IP ADDR=78.107.90.46)
3-17: 16:05:02.969 My Connections\ATHATD01 - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
3-17: 16:05:03.125 My Connections\ATHATD01 - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
3-17: 16:05:03.125 My Connections\ATHATD01 - Peer supports Dead Peer Detection Version 1.0
3-17: 16:05:03.125 My Connections\ATHATD01 - Dead Peer Detection enabled
3-17: 16:05:03.234 My Connections\ATHATD01 - Hash Payload is incorrect.
3-17: 16:05:03.234 My Connections\ATHATD01 - SENDING>>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_HASH_INFO)
3-17: 16:05:03.234 My Connections\ATHATD01 - Discarding IKE SA negotiation
3-17: 16:05:03.234 My Connections\ATHATD01 - MY COOKIE 78 87 46 88 37 2e 2c 28
3-17: 16:05:03.234 My Connections\ATHATD01 - HIS COOKIE bd 65 e8 41 91 7d f7 d0
3-17: 16:05:07.219 My Connections\ATHATD01 - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
3-17: 16:05:07.219 My Connections\ATHATD01 - Received message for non-active SA
3-17: 16:05:11.219 My Connections\ATHATD01 - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
3-17: 16:05:11.219 My Connections\ATHATD01 - Received message for non-active SA
3-17: 16:05:15.219 My Connections\ATHATD01 - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
3-17: 16:05:15.219 My Connections\ATHATD01 - Received message for non-active SA
3-17: 16:05:19.219 My Connections\ATHATD01 - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
3-17: 16:05:19.219 My Connections\ATHATD01 - Received message for non-active SA



Dave Shackelford MVP
ThirdTier.net

 

[Supergrrover]

Hash Payload is incorrect.
SENDING>>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_HASH_INFO)

The hash isn't set right on the client.

Brent
Systems Engineer / Consultant
CCNP, CCSP