[vpn-help] FW: VPN client does not work with Netscreen 5GT 6.2.0r11.0
Willem Kutschruiter
willem.kutschruiter at cynit.com
Thu Jul 4 14:59:56 CDT 2013
Team,
I have fixed this problem.
It works with 2.1.7 software but also with 2.2.1. software..
Believe it or not, you believe, you all have passed this a long time ago,
but the wrong phase2 policy was defined on the netscreen.
<http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272>
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272
http://kb.juniper.net/InfoCenter/index?page=content
<http://kb.juniper.net/InfoCenter/index?page=content&id=KB22074> &id=KB22074
Met vriendelijke groet, kind Regards,
Willem Kutschruiter
+31653229596
Van: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] Namens Erik V
Verzonden: dinsdag 2 juli 2013 13:33
Aan: vpn-help at lists.shrew.net
Onderwerp: [vpn-help] FW: VPN client does not work with Netscreen 5GT
6.2.0r11.0
Hi Willem,
If you install Shrewsoft 2.1.7 client ( It's officially not supported ) and
try it agian.
Does it pass any traffic then?
Van: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] Namens Willem Kutschruiter
Verzonden: zondag 30 juni 2013 15:00
Aan: vpn-help at lists.shrew.net
Onderwerp: [vpn-help] VPN client does not work with Netscreen 5GT 6.2.0r11.0
LS,
I would appreciate some help..
Im using Shrewsoft VPN client version 2.2.1 on windows 8 to connect to a
netscreen 5Gt running version 6.2.0r11.0.
I can get it to work. L.. It connects but it does not passes any traffic.
I have looked and configured as stated on the following links:
<https://www.shrew.net/support/Howto_Juniper_SSG>
https://www.shrew.net/support/Howto_Juniper_SSG
http://www.the-internet-guy.com/pdf/Juniper_firewall_setup_for_Shrewsoft_VPN
_connectivity.pdf
http://www.the-internet-guy.com/pdf/Shrew_VPN_Client_Setup_for_Juniper_Conne
ctivity.pdf
http://kb.juniper.net/InfoCenter/index?page=content
<http://kb.juniper.net/InfoCenter/index?page=content&id=KB22074> &id=KB22074
http://kb.juniper.net/InfoCenter/index?page=content
<http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272> &id=KB15272
furthermore I have done a lot of debugging with no positive results.
Below the configs.. I have deleted or modified any info which could breach
our security.
The config of the shrewsoft client side.
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:0
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:phase1-keylen:128
n:phase2-keylen:128
s:network-host:x.x.x.114
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:fqdn
s:ident-client-data:user at domain.yy
s:ident-server-data:aa.bb.cc
b:auth-mutual-psk:MmcwMEQyYmU=
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-level:auto
s:policy-list-include:192.168.30.0 / 255.255.255.0
the config off the netscreen 5gt..
FW-Polen-> get config
Total Config size 10407:
unset key protection enable
set clock ntp
set clock timezone 1
set clock dst recurring start-weekday 3 0 3 02:00 end-weekday 3 0 10 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "support"
set admin password "nNx2MBrLIXzOcHAP8sJHT7CtbCGjCn"
set admin manager-ip x.x.0.0 255.255.0.0
set admin manager-ip x.x.x.x 255.255.255.224
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.30.252/24
set interface trust nat
set interface untrust ip x.x.x.114/30
set interface untrust route
set interface tunnel.1 ip unnumbered interface untrust
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface vlan1 bypass-ipv6-others-ipsec
set interface vlan1 bypass-icmpv6-ndp
set interface vlan1 bypass-icmpv6-mld
unset interface vlan1 bypass-icmpv6-mrd
unset interface vlan1 bypass-icmpv6-msp
set interface vlan1 bypass-icmpv6-snd
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage web
set interface untrust vip interface-ip 25 "MAIL" 192.168.1.1 manual
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option lease 360
set interface trust dhcp server ip 192.168.30.10 to 192.168.30.100
unset interface trust dhcp server config next-server-ip
set flow tcp-mss 1300
set flow path-mtu
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain polen.local
set hostname FW-Polen
set dbuf usb filesize 0
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 192.168.1.1
set dns host schedule 06:28
set address "Trust" "LAN_Local" 192.168.30.0 255.255.255.0
set address "Untrust" "192.168.255.0/24" 192.168.255.0 255.255.255.0
set address "Untrust" "Internet LAN" k.l.m.173 255.255.255.252
set address "Untrust" "Internet Router" k.l.m.173 255.255.255.255
set address "Untrust" "LAN_Remote1" 192.168.1.0 255.255.255.0
set address "Untrust" "LAN_Remote2" 192.168.10.0 255.255.255.0
set ippool "shrew-Pool" 192.168.255.10 192.168.255.20
set user "Erik" uid 2
set user "Erik" ike-id u-fqdn "user at domain.xx" share-limit 1
set user "Erik" type ike
set user "Erik" "enable"
set user "Martin" uid 4
set user "Martin" ike-id u-fqdn "user at domain.yy" share-limit 1
set user "Martin" type ike
set user "Martin" "enable"
set user "Shrew-vpn-user" uid 3
set user "Shrew-vpn-user" ike-id u-fqdn "user at domain.yy" share-limit 1
set user "Shrew-vpn-user" type ike
set user "Shrew-vpn-user" "enable"
set user "willem" uid 7
set user "willem" type xauth
set user "willem" remote ippool "shrew-Pool"
set user "willem" password "JC0Ja8qyNJpwmssZ11CcReMzGlnSWZz1Jg=="
unset user "willem" type auth
set user "willem" "enable"
set user-group "Shrew-VPN-Users" id 3
set user-group "Shrew-VPN-Users" user "Shrew-vpn-user"
set user-group "VPN-Users" id 1
set user-group "VPN-Users" user "Erik"
set user-group "VPN-Users" user "Martin"
set crypto-policy
exit
set ike gateway "Gateway for LAN_Remote1" address k.l.m.174 Main
outgoing-interface "untrust" preshare "zd/EX7JdNV+6ktsdzfC/5wmx/9nBVvDh6w=="
sec-level compatible
set ike gateway "Gateway for LAN_Remote1" nat-traversal
set ike gateway "Gateway for LAN_Remote1" nat-traversal udp-checksum
set ike gateway "Gateway for LAN_Remote1" nat-traversal keepalive-frequency
5
set ike gateway "GW_vpn-user" dialup "VPN-Users" Aggr local-id "GW_vpn-user"
outgoing-interface "untrust" preshare "KnhedI6qNvbKv1s+8zCiscjFEjn/V6Y2DA=="
proposal "pre-g2-3des-sha" "pre-g2-3des-md5"
unset ike gateway "GW_vpn-user" nat-traversal udp-checksum
set ike gateway "GW_vpn-user" nat-traversal keepalive-frequency 5
set ike gateway "Gateway for LAN_Remote2" address 0.0.0.0 id "Waldheim" Aggr
local-id "Polen" outgoing-interface "untrust" preshare
"qy7AixgQNWCzossSZlCIaTfix8nlznNHpQ==" sec-level compatible
unset ike gateway "Gateway for LAN_Remote2" nat-traversal udp-checksum
set ike gateway "Gateway for LAN_Remote2" nat-traversal keepalive-frequency
5
set ike gateway "shrew-vpn-gateway" dialup "Shrew-VPN-Users" Aggr local-id
"aa.bb.cc" outgoing-interface "untrust" preshare
"aXe1Ag/hNyCAtns/3KC1vMPOumnB6zMGag==" proposal "pre-g2-3des-sha"
set ike gateway "shrew-vpn-gateway" dpd-liveness interval 30
unset ike gateway "shrew-vpn-gateway" nat-traversal udp-checksum
set ike gateway "shrew-vpn-gateway" nat-traversal keepalive-frequency 20
set ike gateway "shrew-vpn-gateway" xauth server "Local"
unset ike gateway "shrew-vpn-gateway" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike gateway "Gateway for LAN_Remote1" heartbeat hello 60
set ike gateway "Gateway for LAN_Remote1" heartbeat reconnect 60
set ike gateway "Gateway for LAN_Remote2" heartbeat hello 60
set ike gateway "Gateway for LAN_Remote2" heartbeat reconnect 60
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default dns1 192.168.30.101
set xauth default dns2 192.168.30.101
set xauth default wins1 192.168.30.101
set xauth default wins2 192.168.30.101
set vpn "Tunnel for LAN_Remote1" gateway "Gateway for LAN_Remote1" no-replay
tunnel idletime 0 sec-level compatible
set vpn "Tunnel for LAN_Remote1" monitor
set vpn "tunnel-vpn-user" gateway "GW_vpn-user" replay tunnel idletime 0
proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5"
set vpn "tunnel-vpn-user" monitor
set vpn "Tunnel for LAN_Remote2" gateway "Gateway for LAN_Remote2" no-replay
tunnel idletime 0 proposal "g2-esp-3des-sha" "g2-esp-3des-md5"
"g2-esp-des-sha" "g2-esp-des-md5"
set vpn "Tunnel for LAN_Remote2" monitor
set vpn "Shrew-Vpn-Tunnel" gateway "shrew-vpn-gateway" no-replay tunnel
idletime 0 proposal "g2-esp-3des-sha"
set vpn "Shrew-Vpn-Tunnel" monitor
set vpn "Shrew-Vpn-Tunnel" id 0xc bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp "WindowsVPN-l2tp" id 1 outgoing-interface untrust keepalive 60
set url protocol websense
exit
set vpn "Shrew-Vpn-Tunnel" proxy-id local-ip 192.168.30.0/24 remote-ip
255.255.255.255/32 "ANY"
set policy id 6 from "Untrust" to "Trust" "Any-IPv4" "VIP(untrust)" "MAIL"
permit log count
set policy id 6 application "SMTP"
set policy id 6
set log session-init
exit
set policy id 1 from "Untrust" to "Trust" "LAN_Remote1" "LAN_Local" "ANY"
tunnel vpn "Tunnel for LAN_Remote1" id 0x5 pair-policy 5 log count traffic
mbw 1024
set policy id 1
set log session-init
exit
set policy id 8 name "LAN_Remote2" from "Untrust" to "Trust" "LAN_Remote2"
"LAN_Local" "ANY" tunnel vpn "Tunnel for LAN_Remote2" id 0x8 pair-policy 9
log count traffic mbw 1024
set policy id 8
exit
set policy id 5 from "Trust" to "Untrust" "LAN_Local" "LAN_Remote1" "ANY"
tunnel vpn "Tunnel for LAN_Remote1" id 0x5 pair-policy 1 log count traffic
mbw 1024
set policy id 5
set log session-init
exit
set policy id 9 name "LAN_Remote2" from "Trust" to "Untrust" "LAN_Local"
"LAN_Remote2" "ANY" tunnel vpn "Tunnel for LAN_Remote2" id 0x8 pair-policy 8
log count traffic mbw 1024
set policy id 9
exit
set policy id 0 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY"
permit log count
set policy id 0
exit
set policy id 4 name "vpn-user" from "Untrust" to "Trust" "Dial-Up VPN
IPv4" "LAN_Local" "ANY" tunnel vpn "tunnel-vpn-user" id 0x6 pair-policy 7
log count
set policy id 4
set log session-init
exit
set policy id 7 name "vpn-user" from "Trust" to "Untrust" "LAN_Local"
"Dial-Up VPN IPv4" "ANY" tunnel vpn "tunnel-vpn-user" id 0x6 pair-policy 4
log count
set policy id 7
set log session-init
exit
set policy id 10 from "Untrust" to "Trust" "192.168.255.0/24" "LAN_Local"
"ANY" permit log
set policy id 10
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "46.19.33.5"
set ntp server backup1 "81.171.44.131"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp name "zetten"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway x.x.x.113
set route 192.168.255.0/24 interface tunnel.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
FW-Polen->
Met vriendelijke groet, kind Regards,
Willem Kutschruiter
+31653229596
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130704/43159a55/attachment-0001.html>
More information about the vpn-help
mailing list