[vpn-help] Almost connected shrewsoft to Juniper SSG5?

Igor Birman igor_birman at yahoo.com
Sun Jun 27 19:40:18 CDT 2010


Thanks for all the help, I got it working.  The subnet explanation helps, but my real problem is that on the ShrewSoft config, on the Policy tab, I had the client network instead of the Remote network...

Igor



________________________________
From: "mikelupo at aol.com" <mikelupo at aol.com>
To: igor_birman at yahoo.com; klmlk at hotmail.com; vpn-help at lists.shrew.net
Sent: Sun, June 27, 2010 6:28:05 PM
Subject: Re: [vpn-help] Almost connected shrewsoft to Juniper SSG5?

Igor,
I had a similar problem. Different hardware than yours but....
You may need to make sure that the IP address that the VPN gives to the client is a different subnet than the internal LAN that the VPN router manages. 
So if the internal network you are trying to access is 192.168.100.x, then the IP subnet that VPN clients should get needs to be something other than. for example, 192.168.101.x
 
Mike


 


-----Original Message-----
From: Igor Birman <igor_birman at yahoo.com>
To: kevin shrew-vpn <klmlk at hotmail.com>; vpn-help at lists.shrew.net
Sent: Sun, Jun 27, 2010 3:42 pm
Subject: Re: [vpn-help] Almost connected shrewsoft to Juniper SSG5?


 
Thanks, that helped.  So SA is the Security Association aka Policy?  My policy was set up incorrectly, I changed the policies on the client and on the SSG5 to match, and I no longer get that error.  Now the only remaining problem is that I can't seem to ping the trusted network from my computer.  It looks like all is connected, there are no errors, but ping goes nowhere.  Is there anything else I need to do?  My goal is to get from 192.168.100.130 (client IP), to 192.168.100.100 (server IP).

This is the last event message that I see:

Auth login was passed for gateway <vpnclient_gateway>, username <praetorian>, retry: 0, Client IP Addr<192.168.100.130>, IPPool name:<vpn>, Session-Timeout:<0s>, Idle-Timeout:<0s>.

I am attaching the SSG and ShrewSoft configs:

set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface bgroup0 port ethernet0/1
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip *.*.*.17/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.100.1/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server enable
set interface bgroup0 dhcp server option lease 1440 
set interface bgroup0 dhcp server option gateway 192.168.100.1 
set interface bgroup0 dhcp server option netmask 255.255.255.0 
set interface bgroup0 dhcp server option dns1 71.252.0.12 
set interface bgroup0 dhcp server option dns2 68.237.161.12 
set interface bgroup0 dhcp server ip 192.168.100.101 to 192.168.100.150 
unset interface bgroup0 dhcp server config next-server-ip
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "192.168.100.100/32" 192.168.100.100 255.255.255.255
set address "Trust" "Trusted Network" 255.255.255.0 255.255.255.128
set ippool "vpn" 192.168.100.130 192.168.100.140
set user "praetorian" uid 14
set user "praetorian" type  xauth
set user "praetorian" password "U2eCWDknN9NQK6shDeC5Ij3HVBna/ZpcFQ=="
unset user "praetorian" type auth
set user "praetorian" "enable"
set user "vpnclient_P1" uid 12
set user "vpnclient_P1" ike-id fqdn "client.gatekeeper.com" share-limit 1
set user "vpnclient_P1" type  ike
set user "vpnclient_P1" "enable"
set user-group "vpnclient_group" id 3
set user-group "vpnclient_group" user "vpnclient_P1"
set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Main local-id "gateway.gatekeeper.com" outgoing-interface "ethernet0/0" preshare "Al/ROO66NmvlIwsjUhCWqDd7/fn9NrlQnA==" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 5
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike gateway "vpnclient_gateway" dpd interval 30
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "vpn"
set xauth default dns1 192.168.100.100
set xauth default dns2 192.168.100.100
set xauth default wins1 192.168.100.100
set xauth default wins2 192.168.100.100
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5" 
set url protocol websense
exit
set policy id 14 from "Untrust" to "Trust"  "Dial-Up VPN" "Trusted Network" "ANY" tunnel vpn "vpnclient_tunnel" id 21 pair-policy 13 
set policy id 14
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 1
set log session-init
exit
set policy id 13 name "vpnclient_in" from "Trust" to "Untrust"  "Trusted Network" "Dial-Up VPN" "ANY" tunnel vpn "vpnclient_tunnel" id 21 pair-policy 14 log 
set policy id 13
exit
set nsmgmt report alarm traffic enable
set nsmgmt report alarm attack enable
set nsmgmt report alarm other enable
set nsmgmt report alarm di enable
set nsmgmt report log config enable
set nsmgmt report log info enable
set nsmgmt report log self enable
set nsmgmt report log traffic enable
set nsmgmt init id 1B9066808588C3EBFA20E948597B446D3AB147F800
set nsmgmt server primary 72.245.188.230 port 7800
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt hb-interval 20
set nsmgmt hb-threshold 5
set nsmgmt enable
set ssh version v2
set ssh enable
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway *.*.*.1 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

ShrewSoft:

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:**.**.**.17
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:client.shrew.com
s:ident-server-data:gateway.shrew.com
b :auth-mutual-psk:Z2F0ZWtlZXBlcg==
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-list-include:192.168.100.130 / 255.255.255.255

Thanks!
Igor





________________________________
 From: kevin shrew-vpn <klmlk at hotmail.com>
To: vpn-help at lists.shrew.net
Sent: Sat, June 26, 2010 1:28:27 PM
Subject: Re: [vpn-help] Almost connected shrewsoft to Juniper SSG5?

On Fri, 25 Jun 2010 19:32:10 -0700 (PDT)
Igor Birman <igor_birman at yahoo.com> wrote:

> I have been trying to set up a VPN connection to an SSG5 by following
> the instructions at:
> 
> http://www.shrew.net/support/wiki/HowtoJuniperSsg
> 
> I am able to establish a connection on the client and get an IP
> address, but then I get some more error messages on the SSG5.  Can
> someone point me to what they mean?  It says no policy esists for the
> proxy ID, and then that the VPN does not have an application SA.  I
> don't understand either message.  Here they are:
> 
> 
> 2010-06-25 
> 22:36:57 info Rejected an IKE packet on ethernet0/0 from 
> 71.191.197.230:4500 to xx.xx.xx.17:4500 with cookies 0e6193f393015ecd 
> and e153abc6ac9a3cb5 because the VPN does not have an application SA 
> configured. 
> 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2: No policy
> exists for the proxy ID received: local ID
> (<192.168.100.0>/<255.255.255.0>, <0>, <0>) remote ID
> (<192.168.100.130>/<255.255.255.255>, <0>, <0>). 
> 2010-06-25 22:36:57 info IKE<71.191.197.230> Phase 2 msg ID
> <8d82f56c>: Responded to the peer's first message. 2010-06-25
> 22:36:46 info IKE<71.191.197.230>: XAuth login was passed for gateway
> <vpnclient_gateway>, username <igor>, retry: 0, Client IP
> Addr<192.168.100.130>, IPPool name:<vpn>, Session-Timeout:<0s>,
> Idle-Timeout:<0s>. Thanks! Igor
> 

Hi Igor,

I would first check the AutoKey IKE Proxy-ID settings.  (VPNs->AutoKey
IKE->Edit->Advanced).  If you enable the Proxy-ID, I think those have
to match the policy you've defined in the Shrew profile.  For example,
if you have defined in the Shrew profile (on the policy tab) that all
traffic be tunneled, I think the Local IP/Netmask on the SSG should be
0.0.0.0/0.  If you've specified a subnet in Shrew (eg.
10.1.0.0/255.255.0.0) then the Local IP/Mask on the SSG should be
10.1.0.0/16.  You really don't need to enable the Proxy-ID, however.

If those are correct (or you don't have the Proxy-ID enabled), then make
sure you have a firewall policy defined that matches the Shrew VPN
profile.  Going by my second example above, the policy should be
defined as:

>From zone Untrust
To zone Trust
Source address Dial-Up VPN
Destination address 10.1.0.0/16  (for example).

The Destination Address is what needs to match the entry in the Shrew
profile Policy tab.  For my first example (tunnel all), the destination
address would be Any.
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net http://lists.shrew.net/mailman/listinfo/vpn-help  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100627/606e4bc0/attachment-0002.html>


More information about the vpn-help mailing list