VPN tunnel between Netscreen and Linksys 1

[mingtmak]

referring to thread907-566205

I'm having trouble setting up a VPN between a Linksys (Dynamic IP) and a Netscreen-10 (Static IP).
I've attempted what was suggested in the above thread, but haven't been able to get it working still.
I'm using the GUI to setup the netscreen. There is already a tunnel from another linksys (same model - BEFVP41) but the IP on that linksys is static. (this Tunnel was set up by a different person).

I've attempted setting it up as a dialup user and as a "dynamic IP" with a peer id.

Any help would be appreciated. I'm also not as familiar with Netscreen firewalls.

- Jon

 

[Packet7]

Hello Jon,

I would setup a Policy Based VPN and configured the Netscreen side for "Agressive Mode". There are Juniper documents for this type of setup. I have never tried to build a VPN between a Linksys Router and a Netscreen, but it should work. If you want, I could help you debug the VPN from the CLI. Let me know if you come across any issues.

Rgds,

John

 

[mingtmak]

Thanks, I will try to obtain a CLI config and post it.

As mentioned before, there is already a site to site tunnel established on a static IP'd linksys.
Would there be issues (in terms of VPN establishment) if the 2 remote networks had the same subnet?
Head office (netscreen) - 192.168.1.0
Remote office 1 (linksys - static) - 192.168.7.0
Remote office 2 (linksys - dynamic) - 192.168.7.0

Remote office 2 was using client vpn software to connect to the netscreen with no issues before.
I'm not concerned with the routing itself as I can always change the subnets later.

Could you direct me to some documents to create a policy based VPN? I've been searching but they either require a Juniper support contract or they're unrelated.

Thanks!

- Jon

 

[Packet7]

Hey Jon,

If the destination networks overlap, the Netscreen will be unable to encrypt the data into the correct tunnel. Basically, the first active VPN and route will prevail. That said, I would renumber the second remote Network to 192.168.2.0/24. Regarding the documentation, what ScreenOS are you running? I will try and get you a copy of the Admin Guide. Hope this helps.

Rgds,

John

 

[mingtmak]

ok, I've changed the networks. So the routing shouldn't be an issue....once a tunnel is established

below is the config. "ECC Tunnel" is a current site-to-site VPN with a static IP that is working. "OLP Tunnel" is config for a dyanmic IP endpoint and not working.
Let me know if lines are missing, I've copied it from Hyperterminal. I also deleted some dialup tunnels that are used on and off. So took them out hopefully to not cause confusion.

afw1-1-> get config
Total Config size 11575:
set auth type 0
set auth timeout 10
set clock "timezone" 7
set admin format dos
set admin name "XXXX"
set admin password XXXX
set admin sys-ip 0.0.0.0
set admin port 2100
set admin auth timeout 10
set admin auth type Local
unset admin hw-reset
set ip tftp retry 10
set ip tftp timeout 2
set interface trust ip 192.168.1.5 255.255.255.0
set interface untrust ip X.X.X.X 255.255.255.0
set interface untrust gateway X.X.X.X
set interface trust manage ping
set interface trust manage scs
set interface trust manage telnet
unset interface trust manage snmp
set interface trust manage global
--- more ---
set interface trust manage global-pro
set interface trust manage ssl
set interface trust manage web
unset interface trust ident-reset
unset interface untrust manage ping
unset interface untrust manage scs
unset interface untrust manage telnet
unset interface untrust manage snmp
unset interface untrust manage global
unset interface untrust m
unset interface untrust manage ssl
unset interface untrust manage web
unset interface untrust ident-reset
set interface DMZ manage ping
unset interface DMZ manage scs
unset interface DMZ manage telnet
unset interface DMZ manage snmp
unset interface DMZ manage global
unset interface DMZ manage global-pro
unset interface DMZ manage ssl
unset interface DMZ manage web
unset interface DMZ ident-reset
--- more ---
set interface trust dip 4 192.168.1.50 192.168.1.254
set flow mac-flooding
set flow check-session
set domain XXX.XXX
set hostname XXXX
set url fail-mode permit
set address untrust "ECCLan" 192.168.7.0 255.255.255.0
set address untrust "OLP LAN" 192.168.8.0 255.255.255.0
set address trust "AS400" 192.168.1.1 255.255.255.0 "Connection to AS400"
set syn-threshold 200
set firewall tear-drop
set firewall syn-flood
set firewall ip-spoofing
set firewall ping-of-death
set firewall src-route
set firewall land
set firewall icmp-flood
set firewall udp-flood
set firewall winnuke
set firewall port-scan
set firewall i
unset firewall applet
--- more ---
unset firewall bypass-others-ipsec
unset firewall bypass-non-ip
unset firewall session-threshold source-ip-based
set snmp name "XXXX"

set user "ECCtunnel" ike-id fqdn "ecctunnel" share-limit 5
set user "ECCtunnel" type ike
set user "ECCtunnel" "enable"

set user "olptunnel" ike-id fqdn "olptunnel" share-limit 1
set user "olptunnel" type ike
set user "olptunnel" password "type"
unset user "olptunnel" type auth
set user "olptunnel" "enable"


set ike gateway "ECC Tunnel" ip X.X.X.X Main preshare "ecctunne1" proposal
"pre-g2-3des-sha"
set ike gateway "ECC Tunnel" nat-traversal
unset ike gateway "ECC Tunnel" nat-traversal udp-checksum
--- more ---
set ike gateway "ECC Tunnel" nat-traversal keepalive-frequency 0

set ike gateway "OLP Gateway" ip 0.0.0.0 id "olp" Main preshare "XXXXX" propos
al "pre-g2-3des-sha"
unset ike gateway "OLP Gateway" nat-traversal udp-checksum
set ike gateway "OLP Gateway" nat-traversal keepalive-frequency 5
set ike policy-checking
set ike respond-bad-spi 1

set vpn "Ecc tunnel auto ike" id 34 gateway "ECC Tunnel" no-replay tunnel idleti


me 0 proposal "nopfs-esp-3des-sha"

--- more ---
set vpn " OLP Auto_IKE" id 39 gateway "OLP Gateway" no-replay tunnel idletime 0
proposal "nopfs-esp-3des-sha"
set l2tp default
set l2tp default ppp-auth any
set l2tp default radius-port 1645
set ike id-mode subnet
set traffic-shaping ip_precedence 7 6 5 4 3 2 1 0
set policy id 3 name "AS400" incoming "Dial-Up VPN" "AS400" "ANY" Tunnel vpn "Au


tokeyIke_P2" id 26
set policy id 2 incoming "Dial-Up VPN" "AS400" "ANY" Tunnel vpn "CementeryAutoKe


yIKE1_P2" id 27
set policy id 4 name "Our Lady Of Peace Policy" incoming "Dial-Up VPN" "AS400" "


ANY" Tunnel vpn "OurLadyAutoKeyIKE_P2" id 28

set policy id 12 name "outbound" outgoing "Inside Any" "Outside Any" "ANY" nat P
ermit
set policy id 13 name "ECCAccess Policy" incoming "ECCLan" "AS400" "ANY" Tunnel
vpn "Ecc tunnel auto ike" id 35
set policy id 14 name "ECCAccess Policy" outgoing "AS400" "ECCLan" "ANY" Tunnel
vpn "Ecc tunnel auto ike" id 35
set policy id 16 name "OLP VPN Policy" outgoing "AS400" "OLP LAN" "ANY" Tunnel v
pn " OLP Auto_IKE" id 40 log
set policy id 17 name "OLP VPN Policy" incoming "OLP LAN" "AS400" "ANY" Tunnel v
pn " OLP Auto_IKE" id 40 log
--- more ---
set dhcp server service
set dhcp server ip 192.168.1.50 to 192.168.1.254
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 X.X.X.X
set dns host dns2 X.X.X.X
set dns host schedule 00:00




- Jon

 

[Packet7]

Hi,

I didn't see anything in the config. Have you tried to debug the VPN? Try the following:

debug ike all
clear db
<test by generating traffic>
undebug all
get db str

Post the results and I will have a look.

Rgds,

John