[strongSwan] Interoperate with Juniper SSG 550M failed

Andreas Steffen andreas.steffen at strongswan.org
Sat Sep 18 16:18:45 CEST 2010


Hi David,

I you want the Juniper SSG 550M to allocate an inner IP address,
then you must specify

   leftsourceip=%config

in the conn FAP0 definition. As always a strongSwan log would
help in identifying any connection setup problems.

Best regards

Andreas

On 09/18/2010 08:04 AM, David Deng wrote:
> Hi Martin, Hi All,
> I configured strongswan with following items and tried to interoperate
> with Juniper  SSG 550M, but I found no inner IP can be allocated from
> Juniper SSG 550M and the link always indicated as "down" while the SA
> status was "Active".
> THE CONFIGURATION of STRONGSWAN is:
> 1) IPSEC.CONF
> config setup
>    strictcrlpolicy=no
>    plutostart=no
> conn %default
>    ike=3des-sha1-modp1024!
>    esp=3des-sha1!
>    ikelifetime=1440m
>    keylife=24m
>    rekeymargin=3m
>    keyingtries=%forever
>    reauth=no
>    keyexchange=ikev2
>    pfs=yes
>    authby=secret
> conn FAP0
>    left=172.19.2.169
>    leftid=pbr at juniper.com
>    leftfirewall=yes
>    right=172.19.2.199
>    rightsubnet=0.0.0.0/0
>    auto=add
> 2) ipsec.secrets
> # /etc/ipsec.secrets - strongswan IPsec secrets file
> pbr at juniper.com : PSK PBRVPN0
> IN JUNIPER SSG 550
> 1) I create one dailup user and configure the gateway and IKE with
> authenticate as PSK and IKEv2 used.  and then I configure one policy for it.
> 2) configuration of Juniper SSG 550 listed as followed:
> set clock timezone 0
> set vrouter trust-vr sharable
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> unset auto-route-export
> exit
> set alg appleichat enable
> unset alg appleichat re-assembly enable
> set alg sctp enable
> set auth-server "Local" id 0
> set auth-server "Local" server-name "Local"
> set auth default auth server "Local"
> set auth radius accounting port 1646
> set admin name "netscreen"
> set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
> set admin auth web timeout 10
> set admin auth server "Local"
> set admin format dos
> set zone "Trust" vrouter "trust-vr"
> set zone "Untrust" vrouter "trust-vr"
> set zone "DMZ" vrouter "trust-vr"
> set zone "VLAN" vrouter "trust-vr"
> set zone "Untrust-Tun" vrouter "trust-vr"
> set zone "Trust" tcp-rst
> set zone "Untrust" block
> unset zone "Untrust" tcp-rst
> set zone "MGT" block
> set zone "DMZ" tcp-rst
> set zone "VLAN" block
> unset zone "VLAN" tcp-rst
> set zone "Untrust" screen tear-drop
> set zone "Untrust" screen syn-flood
> set zone "Untrust" screen ping-death
> set zone "Untrust" screen ip-filter-src
> set zone "Untrust" screen land
> set zone "V1-Untrust" screen tear-drop
> set zone "V1-Untrust" screen syn-flood
> set zone "V1-Untrust" screen ping-death
> set zone "V1-Untrust" screen ip-filter-src
> set zone "V1-Untrust" screen land
> set interface "ethernet0/0" zone "Trust"
> set interface "ethernet0/1" zone "Trust"
> set interface "ethernet0/2" zone "Untrust"
> set interface "ethernet0/3" zone "Trust"
> set interface "tunnel.1" zone "Trust"
> set interface ethernet0/0 ip 192.168.1.1/24 <http://192.168.1.1/24>
> set interface ethernet0/0 route
> unset interface vlan1 ip
> set interface ethernet0/1 ip 192.168.52.253/24 <http://192.168.52.253/24>
> set interface ethernet0/1 nat
> set interface ethernet0/2 ip 172.19.2.199/24 <http://172.19.2.199/24>
> set interface ethernet0/2 route
> set interface ethernet0/3 ip 192.168.54.253/24 <http://192.168.54.253/24>
> set interface ethernet0/3 nat
> set interface tunnel.1 ip unnumbered interface ethernet0/2
> set interface ethernet0/2 bandwidth egress mbw 5000 ingress mbw 5000
> set interface tunnel.1 mtu 1500
> set interface "ethernet0/1" pmtu ipv4
> unset interface vlan1 bypass-others-ipsec
> unset interface vlan1 bypass-non-ip
> set interface ethernet0/0 ip manageable
> set interface ethernet0/1 ip manageable
> set interface ethernet0/2 ip manageable
> set interface ethernet0/3 ip manageable
> set interface ethernet0/1 manage ident-reset
> set interface ethernet0/2 manage ping
> set interface ethernet0/2 manage snmp
> set interface ethernet0/2 manage ssl
> set interface ethernet0/2 manage web
> unset interface ethernet0/3 manage ssh
> unset interface ethernet0/3 manage telnet
> unset interface ethernet0/3 manage snmp
> unset interface ethernet0/3 manage ssl
> unset interface ethernet0/3 manage web
> set interface ethernet0/0 dhcp server service
> set interface ethernet0/0 dhcp server enable
> set interface ethernet0/0 dhcp server option lease 1440000
> set interface ethernet0/0 dhcp server ip 192.168.1.200 to 192.168.1.250
> set interface ethernet0/0 dhcp server config next-server-ip
> unset interface ethernet0/0 dhcp server config updatable
> unset flow no-tcp-seq-check
> set flow tcp-syn-check
> unset flow tcp-syn-bit-check
> set flow reverse-route clear-text prefer
> set flow reverse-route tunnel always
> set domain zte.com.cn <http://zte.com.cn>
> set pki authority default cert-status revocation-check none
> set pki authority default scep mode "auto"
> set pki x509 default cert-path partial
> set pki x509 dn country-name "CN"
> set pki x509 dn local-name "SZ"
> set pki x509 dn org-name "JUNIPER lmt"
> set pki x509 dn org-unit-name "OMS"
> set pki x509 dn name "ssg550m"
> set pki x509 dn email ssg550m at juniper.com <mailto:ssg550m at juniper.com>
> set pki x509 dn ip 172.19.2.199
> set pki x509 default send-to "david.morris at juniper.com
> <mailto:david.morris at juniper.com>"
> set pki x509 default crl-refresh "daily"
> set pki x509 cert-fqdn ssg550m.juniper.com.cn
> <http://ssg550m.juniper.com.cn>
> set dns host dns1 172.19.2.189 src-interface ethernet0/2
> set dns host dns2 0.0.0.0
> set dns host dns3 0.0.0.0
> set address "Trust" "10.1.0.0/16 <http://10.1.0.0/16>" 10.1.0.0 255.255.0.0
> set address "Trust" "10.10.1.0/24 <http://10.10.1.0/24>" 10.10.1.0
> 255.255.255.0
> set address "Trust" "192.168.52.0/24 <http://192.168.52.0/24>"
> 192.168.52.0 255.255.255.0
> set address "Trust" "PBR-NB-intranet" 192.168.1.0 255.255.255.0
> set address "Untrust" "0.0.0.0/0 <http://0.0.0.0/0>" 0.0.0.0 0.0.0.0
> set address "Untrust" "192.168.52.250/24 <http://192.168.52.250/24>"
> 192.168.52.250 255.255.255.0
> set user "PBR-USR00" uid 4
> set user "PBR-USR00" ike-id u-fqdn pbr at juniper.com
> <mailto:pbr at juniper.com> share-limit 1
> set user "PBR-USR00" type ike
> set user "PBR-USR00" "enable"
> set ike gateway ikev2 "PBR-seGW00" dialup "PBR-USR00" outgoing-interface
> "ethernet0/2" preshare "D2hjHzq+NQYEm8sqF4CL8G1aOznYgJ+iHQ==" proposal
> "pre-g2-3des-sha"
> unset ike gateway ikev2 "PBR-seGW00" nat-traversal
> set ike respond-bad-spi 1
> set ike gateway ikev2 "PBR-seGW00" auth-method self preshare peer preshare
> set ike ikev2 ike-sa-soft-lifetime 60
> unset ike ikeid-enumeration
> unset ike dos-protection
> unset ipsec access-session enable
> set ipsec access-session maximum 5000
> set ipsec access-session upper-threshold 0
> set ipsec access-session lower-threshold 0
> set ipsec access-session dead-p2-sa-timeout 0
> unset ipsec access-session log-error
> unset ipsec access-session info-exch-connected
> unset ipsec access-session use-error-log
> set vpn "PBR-IKE00" gateway "PBR-seGW00" no-replay tunnel idletime 0
> proposal "nopfs-esp-3des-sha"
> set vpn "PBR-IKE00" monitor
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> exit
> set url protocol websense
> exit
> set vpn "PBR-IKE00" proxy-id local-ip 192.168.1.0/24
> <http://192.168.1.0/24> remote-ip 255.255.255.255/32
> <http://255.255.255.255/32> "ANY"
> set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN"
> "PBR-NB-intranet" "ANY" nat src tunnel vpn "PBR-IKE00" id 0x1 log
> set policy id 1
> exit
> set policy id 2 from "Trust" to "Untrust" "PBR-NB-intranet" "Any" "ANY"
> permit
> set policy id 2
> exit
> set nsmgmt bulkcli reboot-timeout 60
> set ssh version v2
> set config lock timeout 5
> unset license-key auto-update
> set snmp port listen 161
> set snmp port trap 162
> set vrouter "untrust-vr"
> set router-id 192.168.1.9
> exit
> set vrouter "trust-vr"
> set router-id 192.168.1.1
> unset add-default-route
> set route 172.19.2.0/24 <http://172.19.2.0/24> interface tunnel.1
> set action-group name VR2
> exit
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> exit
> please help me check the root cause of this issue. thanks.
> Best Regards,
> David.morris

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list