Please help - LAN to LAN VPN

[matt1979]

Hi Guys,

I'm a bit of a newbie when it comes to Netscreens, although am proficient with other firewalls. What I'm trying to achieve here should be incredibly simple... a bog standard LAN-to-LAN VPN using 2 netscreens.. an SSG-20 in London and an SSG-5 in Luxembourg.

Having read through a thread here I've learnt several troubleshooting procedures. Please see results below from get sas, policies and ping traces etc.

Anything anyone can suggest would be massively appreciated - thank you in advance!

Matt

----
London LAN IP = 192.168.0.254 /24
London WAN IP = 82.110.40.246

Lux SSG-5 LAN IP = 192.168.1.1 /24
Lux SSG-5 WAN IP = 192.168.10.254

Lux firewall behind NAT Router
Lux Router LAN IP = 192.168.10.1
Lux Router WAN IP = 83.99.61.100



London get sa
ssg20-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 83.99.61.100 500 esp:3des/md5 cf7dd267 451 unlim A/- 8 0
00000001> 83.99.61.100 500 esp:3des/md5 1165f059 451 unlim A/- 7 0


Lux get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 82.110.40.246 500 esp:3des/md5 1165f059 423 unlim A/- 3 0
00000001> 82.110.40.246 500 esp:3des/md5 cf7dd267 423 unlim A/- 2 0


London Policies
ssg20-> get pol from trust to untrust
ID From To Src-address Dst-address Service Action S
tate ASTLCB
7 Trust Untrust 192.168.0.0~ Lux LAN ANY Tunnel enabled -----X
1 Trust Untrust Any Any ANY Permit enabled -----X

ssg20-> get pol from untrust to trust
ID From To Src-address Dst-address Service Action State ASTLCB
8 Untrust Trust Lux LAN 192.168.0.0~ ANY Tunnel enabled -----X


Lux Policies
ssg5-serial-> get pol from trust to untrust
ID From To Src-address Dst-address Service Action S
tate ASTLCB
2 Trust Untrust 192.168.1.0~ 192.168.0.0~ ANY Tunnel enabled -----X
1 Trust Untrust Any Any ANY Permit enabled -----X

ssg5-serial-> get pol from untrust to trust
ID From To Src-address Dst-address Service Action State ASTLCB
3 Untrust Trust 192.168.0.0~ 192.168.1.0~ ANY Tunnel enabled -----X


Ping test from London PC > Lux Firewall
****** 09436.0: <Trust/bgroup0> packet received [60]******
ipid = 4705(1261), @033810f0
packet passed sanity check.
bgroup0:192.168.0.163/13838->192.168.1.1/512,1(8/0)<Root>
no session found
flow_first_sanity_check: in <bgroup0>, out <N/A>
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 192.168.0.163->192.168.1.1) in vr trust-vr for vsd-0
/flag-0/ifp-null
[ Dest] 7.route 192.168.1.1->192.168.1.1, to ethernet0/0
routed (x_dst_ip 192.168.1.1) from bgroup0 (bgroup0 in 0) to ethernet0/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.
168.1.1, port 5454, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 7
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <ethernet0/0>
existing vector list 5-3ba4c0c.
Session (id:8029) created for first pak 5
flow_first_install_session======>
handle cleartext reverse route
search route to (ethernet0/0, 192.168.1.1->192.168.0.163) in vr trust-vr for v
sd-0/flag-3000/ifp-bgroup0
[ Dest] 3.route 192.168.0.163->192.168.0.163, to bgroup0
route to 192.168.0.163
arp entry found for 192.168.0.163
ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 8029
post addr xlation: 192.168.0.163->192.168.1.1.
skipping pre-frag
going into tunnel 40000001.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000001
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
put packet(35ccdb0) into flush queue.
remove packet(35ccdb0) out from flush queue.

**** jump to packet:82.110.40.246->83.99.61.100
out encryption tunnel 40000001 gw:82.110.40.241
no more encapping needed
send out through normal path.
flow_ip_send: 3476:82.110.40.246->83.99.61.100,50 => ethernet0/0(112) flag 0x0
, vlan 0
mac 0019cb7d49cd in session
**** pak processing end.


Ping test from Lux PC > London
****** 04309.0: <Trust/bgroup0> packet received [60]******
ipid = 44425(ad89), @02c5a090
packet passed sanity check.
bgroup0:192.168.1.10/10752->192.168.0.254/768,1(8/0)<Root>
no session found
flow_first_sanity_check: in <bgroup0>, out <N/A>
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 192.168.1.10->192.168.0.254) in vr trust-vr for vsd-
0/flag-0/ifp-null
[ Dest] 7.route 192.168.0.254->192.168.0.254, to ethernet0/0
routed (x_dst_ip 192.168.0.254) from bgroup0 (bgroup0 in 0) to ethernet0/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.
168.0.254, port 8284, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 2
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <ethernet0/0>
install vector flow_ttl_vector
install vector flow_l2prepare_xlate_vector
install vector flow_frag_list_vector
install vector flow_fragging_vector1
install vector flow_encap_vector
install vector flow_fragging_vector
install vector flow_send_shape_vector
install vector NULL
create new vector list 5-33cfc30.
Session (id:4043) created for first pak 5
flow_first_install_session======>
cache mac in the session
make_nsp_ready_no_resolve()
search route to (ethernet0/0, 192.168.0.254->192.168.1.10) in vr trust-vr for
vsd-0/flag-3000/ifp-bgroup0
[ Dest] 3.route 192.168.1.10->192.168.1.10, to bgroup0
route to 192.168.1.10
input pak_ptr = 1e96fc0, pmtu 1500
use pmtu 1500
ipsec overhead: sap->crypto_ctx.iEspHdrLen = 16, sap->crypto_ctx.icvLen = 12
IPv4 ESP fixed overhead 48
cryptic_data_max_len before round down = pmtu - fxed overhead = 1500 - 48 = 145
2
cryptic_data_max_len after round down = 1448
mtu after substracting 2-byte trailer = 1446
total vpn overhead 54
flow got session.
flow session id 4043
skipping pre-frag
going into tunnel 40000001.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000001
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
put packet(2f3bbb0) into flush queue.
remove packet(2f3bbb0) out from flush queue.

**** jump to packet:192.168.10.254->82.110.40.246
out encryption tunnel 40000001 gw:192.168.10.1
no more encapping needed
send out through normal path.
flow_ip_send: 1156:192.168.10.254->82.110.40.246,50 => ethernet0/0(112) flag 0
x0, vlan 0
mac 001839245508 in session
**** pak processing end.


As far as I can tell from all of the above - everything should be working.. and yet my pings all timeout

 

[peterve]

did you manage to resolve this ? If not, let me know

---------------------------------------------------------------------
Blog :

http://www.corelan.be:8800

Free tools :

http://users.telenet.be/internet.activities/freetools

 

[matt1979]

Hi Peterve,

Thanks for replying but yes I did eventually resolve this.

The problem it turned out was the NAT modem infront of the SSG-5. I had to change the tunnel to Aggressive mode because of that, and then it all worked ok.