<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5969" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left>
<DIV dir=ltr align=left><SPAN class=802394411-29092010><FONT face=Arial><FONT
size=2><SPAN class=545304811-29092010>hi
</SPAN>David,</FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=802394411-29092010><FONT face=Arial
size=2>did you configure the Juniper SSG 550 following the instruction page 22
of the <SPAN class=545304811-29092010>Juniper document "</SPAN>Concepts
& Examples<SPAN class=545304811-29092010> </SPAN>ScreenOS <SPAN
class=545304811-29092010>6.3 </SPAN>Reference Guide<SPAN
class=545304811-29092010> </SPAN>(<SPAN class=545304811-29092010>section
</SPAN>"<I>Example: Configuring IRAC and IRAS to Get an IP Address from a Local
and External<SPAN class=802394411-29092010>
</SPAN>Databases</I>"?)</FONT></SPAN><SPAN class=802394411-29092010><U><FONT
color=#0000ff size=2><FONT color=#0000ff size=2><SPAN
lang=DE></SPAN></FONT></FONT></U></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=802394411-29092010><U><FONT color=#0000ff
size=2><FONT color=#0000ff size=2><SPAN lang=DE><A
href="http://www-jnet.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf"><FONT
face=Arial><A
href="http://www-jnet.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf">http://www-jnet.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_</FONT></U></FONT></FONT></SPAN></A><FONT
face=Arial size=2>VPN.pdf</A></FONT></DIV>
<DIV dir=ltr align=left>
<P><FONT face=Arial size=2><SPAN class=802394411-29092010>Best
regards,</SPAN></FONT></P>
<P><FONT face=Arial size=2><SPAN class=802394411-29092010></SPAN></FONT><FONT
face=Arial size=2><SPAN class=802394411-29092010>Laurence</SPAN></FONT></P>
<P><FONT face=Arial size=2><SPAN
class=802394411-29092010></SPAN></FONT> </P><FONT size=2><SPAN
class=802394411-29092010><FONT face=Arial size=2>
<P align=left> </P></FONT></SPAN></FONT></SPAN></DIV></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B>
users-bounces+laurence.groebl=alcatel-lucent.com@lists.strongswan.org
[mailto:users-bounces+laurence.groebl=alcatel-lucent.com@lists.strongswan.org]
<B>On Behalf Of </B>David Deng<BR><B>Sent:</B> Samstag, 18. September 2010
17:26<BR><B>To:</B> Andreas Steffen<BR><B>Cc:</B>
users@lists.strongswan.org<BR><B>Subject:</B> Re: [strongSwan] Interoperate
with Juniper SSG 550M failed<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Hi Andreas, </DIV>
<DIV> </DIV>
<DIV>Thank you for your prompt repsonse! when I added the following item:
</DIV>
<DIV> </DIV>
<DIV>leftsourceip=%config</DIV>
<DIV> </DIV>
<DIV>and can be see one payload [CP] will be added into the message, but it
seems that Juniper SSG 550M can not handle this CP payload and the procedure
can not be completed.</DIV>
<DIV> </DIV>
<DIV>Therefore, I don't sure if this issue caused by this unset configuration
items. please help to check further, thanks again!</DIV>
<DIV> </DIV>
<DIV>Best wishes,</DIV>
<DIV>david morris<BR></DIV>
<DIV class=gmail_quote>2010/9/18 Andreas Steffen <SPAN dir=ltr><<A
href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</A>></SPAN><BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi
David,<BR><BR>I you want the Juniper SSG 550M to allocate an inner IP
address,<BR>then you must
specify<BR><BR> leftsourceip=%config<BR><BR>in the conn FAP0
definition. As always a strongSwan log would<BR>help in identifying any
connection setup problems.<BR><BR>Best regards<BR><BR>Andreas
<DIV>
<DIV></DIV>
<DIV class=h5><BR><BR>On 09/18/2010 08:04 AM, David Deng
wrote:<BR></DIV></DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV></DIV>
<DIV class=h5>Hi Martin, Hi All,<BR>I configured strongswan with following
items and tried to interoperate<BR>with Juniper SSG 550M, but I
found no inner IP can be allocated from<BR>Juniper SSG 550M and the link
always indicated as "down" while the SA<BR>status was "Active".<BR>THE
CONFIGURATION of STRONGSWAN is:<BR>1) IPSEC.CONF<BR>config setup<BR>
strictcrlpolicy=no<BR> plutostart=no<BR>conn %default<BR>
ike=3des-sha1-modp1024!<BR> esp=3des-sha1!<BR>
ikelifetime=1440m<BR> keylife=24m<BR> rekeymargin=3m<BR>
keyingtries=%forever<BR> reauth=no<BR>
keyexchange=ikev2<BR> pfs=yes<BR> authby=secret<BR>conn
FAP0<BR> left=172.19.2.169<BR> leftid=<A
href="mailto:pbr@juniper.com" target=_blank>pbr@juniper.com</A><BR>
leftfirewall=yes<BR> right=172.19.2.199<BR> rightsubnet=<A
href="http://0.0.0.0/0" target=_blank>0.0.0.0/0</A><BR>
auto=add<BR>2) ipsec.secrets<BR># /etc/ipsec.secrets - strongswan IPsec
secrets file<BR><A href="mailto:pbr@juniper.com"
target=_blank>pbr@juniper.com</A> : PSK PBRVPN0<BR>IN JUNIPER SSG
550<BR>1) I create one dailup user and configure the gateway and IKE
with<BR>authenticate as PSK and IKEv2 used. and then I configure one
policy for it.<BR>2) configuration of Juniper SSG 550 listed as
followed:<BR>set clock timezone 0<BR>set vrouter trust-vr sharable<BR>set
vrouter "untrust-vr"<BR>exit<BR>set vrouter "trust-vr"<BR>unset
auto-route-export<BR>exit<BR>set alg appleichat enable<BR>unset alg
appleichat re-assembly enable<BR>set alg sctp enable<BR>set auth-server
"Local" id 0<BR>set auth-server "Local" server-name "Local"<BR>set auth
default auth server "Local"<BR>set auth radius accounting port 1646<BR>set
admin name "netscreen"<BR>set admin password
"nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"<BR>set admin auth web timeout 10<BR>set
admin auth server "Local"<BR>set admin format dos<BR>set zone "Trust"
vrouter "trust-vr"<BR>set zone "Untrust" vrouter "trust-vr"<BR>set zone
"DMZ" vrouter "trust-vr"<BR>set zone "VLAN" vrouter "trust-vr"<BR>set zone
"Untrust-Tun" vrouter "trust-vr"<BR>set zone "Trust" tcp-rst<BR>set zone
"Untrust" block<BR>unset zone "Untrust" tcp-rst<BR>set zone "MGT"
block<BR>set zone "DMZ" tcp-rst<BR>set zone "VLAN" block<BR>unset zone
"VLAN" tcp-rst<BR>set zone "Untrust" screen tear-drop<BR>set zone
"Untrust" screen syn-flood<BR>set zone "Untrust" screen ping-death<BR>set
zone "Untrust" screen ip-filter-src<BR>set zone "Untrust" screen
land<BR>set zone "V1-Untrust" screen tear-drop<BR>set zone "V1-Untrust"
screen syn-flood<BR>set zone "V1-Untrust" screen ping-death<BR>set zone
"V1-Untrust" screen ip-filter-src<BR>set zone "V1-Untrust" screen
land<BR>set interface "ethernet0/0" zone "Trust"<BR>set interface
"ethernet0/1" zone "Trust"<BR>set interface "ethernet0/2" zone
"Untrust"<BR>set interface "ethernet0/3" zone "Trust"<BR>set interface
"tunnel.1" zone "Trust"<BR></DIV></DIV>set interface ethernet0/0 ip <A
href="http://192.168.1.1/24" target=_blank>192.168.1.1/24</A> <<A
href="http://192.168.1.1/24" target=_blank>http://192.168.1.1/24</A>>
<DIV class=im><BR>set interface ethernet0/0 route<BR>unset interface vlan1
ip<BR></DIV>set interface ethernet0/1 ip <A
href="http://192.168.52.253/24" target=_blank>192.168.52.253/24</A> <<A
href="http://192.168.52.253/24"
target=_blank>http://192.168.52.253/24</A>>
<DIV class=im><BR>set interface ethernet0/1 nat<BR></DIV>set interface
ethernet0/2 ip <A href="http://172.19.2.199/24"
target=_blank>172.19.2.199/24</A> <<A href="http://172.19.2.199/24"
target=_blank>http://172.19.2.199/24</A>>
<DIV class=im><BR>set interface ethernet0/2 route<BR></DIV>set interface
ethernet0/3 ip <A href="http://192.168.54.253/24"
target=_blank>192.168.54.253/24</A> <<A href="http://192.168.54.253/24"
target=_blank>http://192.168.54.253/24</A>>
<DIV>
<DIV></DIV>
<DIV class=h5><BR>set interface ethernet0/3 nat<BR>set interface tunnel.1
ip unnumbered interface ethernet0/2<BR>set interface ethernet0/2 bandwidth
egress mbw 5000 ingress mbw 5000<BR>set interface tunnel.1 mtu 1500<BR>set
interface "ethernet0/1" pmtu ipv4<BR>unset interface vlan1
bypass-others-ipsec<BR>unset interface vlan1 bypass-non-ip<BR>set
interface ethernet0/0 ip manageable<BR>set interface ethernet0/1 ip
manageable<BR>set interface ethernet0/2 ip manageable<BR>set interface
ethernet0/3 ip manageable<BR>set interface ethernet0/1 manage
ident-reset<BR>set interface ethernet0/2 manage ping<BR>set interface
ethernet0/2 manage snmp<BR>set interface ethernet0/2 manage ssl<BR>set
interface ethernet0/2 manage web<BR>unset interface ethernet0/3 manage
ssh<BR>unset interface ethernet0/3 manage telnet<BR>unset interface
ethernet0/3 manage snmp<BR>unset interface ethernet0/3 manage ssl<BR>unset
interface ethernet0/3 manage web<BR>set interface ethernet0/0 dhcp server
service<BR>set interface ethernet0/0 dhcp server enable<BR>set interface
ethernet0/0 dhcp server option lease 1440000<BR>set interface ethernet0/0
dhcp server ip 192.168.1.200 to 192.168.1.250<BR>set interface ethernet0/0
dhcp server config next-server-ip<BR>unset interface ethernet0/0 dhcp
server config updatable<BR>unset flow no-tcp-seq-check<BR>set flow
tcp-syn-check<BR>unset flow tcp-syn-bit-check<BR>set flow reverse-route
clear-text prefer<BR>set flow reverse-route tunnel
always<BR></DIV></DIV>set domain <A href="http://zte.com.cn/"
target=_blank>zte.com.cn</A> <<A href="http://zte.com.cn/"
target=_blank>http://zte.com.cn</A>>
<DIV class=im><BR>set pki authority default cert-status revocation-check
none<BR>set pki authority default scep mode "auto"<BR>set pki x509 default
cert-path partial<BR>set pki x509 dn country-name "CN"<BR>set pki x509 dn
local-name "SZ"<BR>set pki x509 dn org-name "JUNIPER lmt"<BR>set pki x509
dn org-unit-name "OMS"<BR>set pki x509 dn name "ssg550m"<BR></DIV>set pki
x509 dn email <A href="mailto:ssg550m@juniper.com"
target=_blank>ssg550m@juniper.com</A> <mailto:<A
href="mailto:ssg550m@juniper.com"
target=_blank>ssg550m@juniper.com</A>>
<DIV class=im><BR>set pki x509 dn ip 172.19.2.199<BR>set pki x509 default
send-to "<A href="mailto:david.morris@juniper.com"
target=_blank>david.morris@juniper.com</A><BR></DIV><mailto:<A
href="mailto:david.morris@juniper.com"
target=_blank>david.morris@juniper.com</A>>"
<DIV class=im><BR>set pki x509 default crl-refresh "daily"<BR>set pki x509
cert-fqdn <A href="http://ssg550m.juniper.com.cn/"
target=_blank>ssg550m.juniper.com.cn</A><BR></DIV><<A
href="http://ssg550m.juniper.com.cn/"
target=_blank>http://ssg550m.juniper.com.cn</A>>
<DIV class=im><BR>set dns host dns1 172.19.2.189 src-interface
ethernet0/2<BR>set dns host dns2 0.0.0.0<BR>set dns host dns3
0.0.0.0<BR></DIV>set address "Trust" "<A href="http://10.1.0.0/16"
target=_blank>10.1.0.0/16</A> <<A href="http://10.1.0.0/16"
target=_blank>http://10.1.0.0/16</A>>" 10.1.0.0 255.255.0.0<BR>set
address "Trust" "<A href="http://10.10.1.0/24"
target=_blank>10.10.1.0/24</A> <<A href="http://10.10.1.0/24"
target=_blank>http://10.10.1.0/24</A>>"
10.10.1.0<BR>255.255.255.0<BR>set address "Trust" "<A
href="http://192.168.52.0/24" target=_blank>192.168.52.0/24</A> <<A
href="http://192.168.52.0/24"
target=_blank>http://192.168.52.0/24</A>>"
<DIV class=im><BR>192.168.52.0 255.255.255.0<BR>set address "Trust"
"PBR-NB-intranet" 192.168.1.0 255.255.255.0<BR></DIV>set address "Untrust"
"<A href="http://0.0.0.0/0" target=_blank>0.0.0.0/0</A> <<A
href="http://0.0.0.0/0" target=_blank>http://0.0.0.0/0</A>>" 0.0.0.0
0.0.0.0<BR>set address "Untrust" "<A href="http://192.168.52.250/24"
target=_blank>192.168.52.250/24</A> <<A href="http://192.168.52.250/24"
target=_blank>http://192.168.52.250/24</A>>"
<DIV class=im><BR>192.168.52.250 255.255.255.0<BR>set user "PBR-USR00" uid
4<BR>set user "PBR-USR00" ike-id u-fqdn <A href="mailto:pbr@juniper.com"
target=_blank>pbr@juniper.com</A><BR></DIV><mailto:<A
href="mailto:pbr@juniper.com" target=_blank>pbr@juniper.com</A>>
share-limit 1
<DIV>
<DIV></DIV>
<DIV class=h5><BR>set user "PBR-USR00" type ike<BR>set user "PBR-USR00"
"enable"<BR>set ike gateway ikev2 "PBR-seGW00" dialup "PBR-USR00"
outgoing-interface<BR>"ethernet0/2" preshare
"D2hjHzq+NQYEm8sqF4CL8G1aOznYgJ+iHQ=="
proposal<BR>"pre-g2-3des-sha"<BR>unset ike gateway ikev2 "PBR-seGW00"
nat-traversal<BR>set ike respond-bad-spi 1<BR>set ike gateway ikev2
"PBR-seGW00" auth-method self preshare peer preshare<BR>set ike ikev2
ike-sa-soft-lifetime 60<BR>unset ike ikeid-enumeration<BR>unset ike
dos-protection<BR>unset ipsec access-session enable<BR>set ipsec
access-session maximum 5000<BR>set ipsec access-session upper-threshold
0<BR>set ipsec access-session lower-threshold 0<BR>set ipsec
access-session dead-p2-sa-timeout 0<BR>unset ipsec access-session
log-error<BR>unset ipsec access-session info-exch-connected<BR>unset ipsec
access-session use-error-log<BR>set vpn "PBR-IKE00" gateway "PBR-seGW00"
no-replay tunnel idletime 0<BR>proposal "nopfs-esp-3des-sha"<BR>set vpn
"PBR-IKE00" monitor<BR>set vrouter "untrust-vr"<BR>exit<BR>set vrouter
"trust-vr"<BR>exit<BR>set url protocol websense<BR>exit<BR>set vpn
"PBR-IKE00" proxy-id local-ip <A href="http://192.168.1.0/24"
target=_blank>192.168.1.0/24</A><BR></DIV></DIV><<A
href="http://192.168.1.0/24" target=_blank>http://192.168.1.0/24</A>>
remote-ip <A href="http://255.255.255.255/32"
target=_blank>255.255.255.255/32</A><BR><<A
href="http://255.255.255.255/32"
target=_blank>http://255.255.255.255/32</A>> "ANY"
<DIV class=im><BR>set policy id 1 from "Untrust" to "Trust" "Dial-Up
VPN"<BR>"PBR-NB-intranet" "ANY" nat src tunnel vpn "PBR-IKE00" id 0x1
log<BR>set policy id 1<BR>exit<BR>set policy id 2 from "Trust" to
"Untrust" "PBR-NB-intranet" "Any" "ANY"<BR>permit<BR>set policy id
2<BR>exit<BR>set nsmgmt bulkcli reboot-timeout 60<BR>set ssh version
v2<BR>set config lock timeout 5<BR>unset license-key auto-update<BR>set
snmp port listen 161<BR>set snmp port trap 162<BR>set vrouter
"untrust-vr"<BR>set router-id 192.168.1.9<BR>exit<BR>set vrouter
"trust-vr"<BR>set router-id 192.168.1.1<BR>unset
add-default-route<BR></DIV>set route <A href="http://172.19.2.0/24"
target=_blank>172.19.2.0/24</A> <<A href="http://172.19.2.0/24"
target=_blank>http://172.19.2.0/24</A>> interface tunnel.1
<DIV class=im><BR>set action-group name VR2<BR>exit<BR>set vrouter
"untrust-vr"<BR>exit<BR>set vrouter "trust-vr"<BR>exit<BR>please help me
check the root cause of this issue. thanks.<BR>Best
Regards,<BR>David.morris<BR></DIV></BLOCKQUOTE><BR>======================================================================<BR><FONT
color=#888888>Andreas Steffen
<A
href="mailto:andreas.steffen@strongswan.org"
target=_blank>andreas.steffen@strongswan.org</A><BR>strongSwan - the Linux
VPN Solution! <A
href="http://www.strongswan.org/"
target=_blank>www.strongswan.org</A><BR>Institute for Internet Technologies
and Applications<BR>University of Applied Sciences Rapperswil<BR>CH-8640
Rapperswil
(Switzerland)<BR>===========================================================[ITA-HSR]==<BR></FONT></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>