[strongSwan] Interoperate with Juniper SSG 550M failed
David Deng
david.live.koo at gmail.com
Sat Sep 18 17:25:42 CEST 2010
Hi Andreas,
Thank you for your prompt repsonse! when I added the following item:
leftsourceip=%config
and can be see one payload [CP] will be added into the message, but it seems
that Juniper SSG 550M can not handle this CP payload and the procedure can
not be completed.
Therefore, I don't sure if this issue caused by this unset configuration
items. please help to check further, thanks again!
Best wishes,
david morris
2010/9/18 Andreas Steffen <andreas.steffen at strongswan.org>
> Hi David,
>
> I you want the Juniper SSG 550M to allocate an inner IP address,
> then you must specify
>
> leftsourceip=%config
>
> in the conn FAP0 definition. As always a strongSwan log would
> help in identifying any connection setup problems.
>
> Best regards
>
> Andreas
>
>
> On 09/18/2010 08:04 AM, David Deng wrote:
>
>> Hi Martin, Hi All,
>> I configured strongswan with following items and tried to interoperate
>> with Juniper SSG 550M, but I found no inner IP can be allocated from
>> Juniper SSG 550M and the link always indicated as "down" while the SA
>> status was "Active".
>> THE CONFIGURATION of STRONGSWAN is:
>> 1) IPSEC.CONF
>> config setup
>> strictcrlpolicy=no
>> plutostart=no
>> conn %default
>> ike=3des-sha1-modp1024!
>> esp=3des-sha1!
>> ikelifetime=1440m
>> keylife=24m
>> rekeymargin=3m
>> keyingtries=%forever
>> reauth=no
>> keyexchange=ikev2
>> pfs=yes
>> authby=secret
>> conn FAP0
>> left=172.19.2.169
>> leftid=pbr at juniper.com
>> leftfirewall=yes
>> right=172.19.2.199
>> rightsubnet=0.0.0.0/0
>> auto=add
>> 2) ipsec.secrets
>> # /etc/ipsec.secrets - strongswan IPsec secrets file
>> pbr at juniper.com : PSK PBRVPN0
>> IN JUNIPER SSG 550
>> 1) I create one dailup user and configure the gateway and IKE with
>> authenticate as PSK and IKEv2 used. and then I configure one policy for
>> it.
>> 2) configuration of Juniper SSG 550 listed as followed:
>> set clock timezone 0
>> set vrouter trust-vr sharable
>> set vrouter "untrust-vr"
>> exit
>> set vrouter "trust-vr"
>> unset auto-route-export
>> exit
>> set alg appleichat enable
>> unset alg appleichat re-assembly enable
>> set alg sctp enable
>> set auth-server "Local" id 0
>> set auth-server "Local" server-name "Local"
>> set auth default auth server "Local"
>> set auth radius accounting port 1646
>> set admin name "netscreen"
>> set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
>> set admin auth web timeout 10
>> set admin auth server "Local"
>> set admin format dos
>> set zone "Trust" vrouter "trust-vr"
>> set zone "Untrust" vrouter "trust-vr"
>> set zone "DMZ" vrouter "trust-vr"
>> set zone "VLAN" vrouter "trust-vr"
>> set zone "Untrust-Tun" vrouter "trust-vr"
>> set zone "Trust" tcp-rst
>> set zone "Untrust" block
>> unset zone "Untrust" tcp-rst
>> set zone "MGT" block
>> set zone "DMZ" tcp-rst
>> set zone "VLAN" block
>> unset zone "VLAN" tcp-rst
>> set zone "Untrust" screen tear-drop
>> set zone "Untrust" screen syn-flood
>> set zone "Untrust" screen ping-death
>> set zone "Untrust" screen ip-filter-src
>> set zone "Untrust" screen land
>> set zone "V1-Untrust" screen tear-drop
>> set zone "V1-Untrust" screen syn-flood
>> set zone "V1-Untrust" screen ping-death
>> set zone "V1-Untrust" screen ip-filter-src
>> set zone "V1-Untrust" screen land
>> set interface "ethernet0/0" zone "Trust"
>> set interface "ethernet0/1" zone "Trust"
>> set interface "ethernet0/2" zone "Untrust"
>> set interface "ethernet0/3" zone "Trust"
>> set interface "tunnel.1" zone "Trust"
>> set interface ethernet0/0 ip 192.168.1.1/24 <http://192.168.1.1/24>
>>
>> set interface ethernet0/0 route
>> unset interface vlan1 ip
>> set interface ethernet0/1 ip 192.168.52.253/24 <http://192.168.52.253/24>
>>
>>
>> set interface ethernet0/1 nat
>> set interface ethernet0/2 ip 172.19.2.199/24 <http://172.19.2.199/24>
>>
>> set interface ethernet0/2 route
>> set interface ethernet0/3 ip 192.168.54.253/24 <http://192.168.54.253/24>
>>
>>
>> set interface ethernet0/3 nat
>> set interface tunnel.1 ip unnumbered interface ethernet0/2
>> set interface ethernet0/2 bandwidth egress mbw 5000 ingress mbw 5000
>> set interface tunnel.1 mtu 1500
>> set interface "ethernet0/1" pmtu ipv4
>> unset interface vlan1 bypass-others-ipsec
>> unset interface vlan1 bypass-non-ip
>> set interface ethernet0/0 ip manageable
>> set interface ethernet0/1 ip manageable
>> set interface ethernet0/2 ip manageable
>> set interface ethernet0/3 ip manageable
>> set interface ethernet0/1 manage ident-reset
>> set interface ethernet0/2 manage ping
>> set interface ethernet0/2 manage snmp
>> set interface ethernet0/2 manage ssl
>> set interface ethernet0/2 manage web
>> unset interface ethernet0/3 manage ssh
>> unset interface ethernet0/3 manage telnet
>> unset interface ethernet0/3 manage snmp
>> unset interface ethernet0/3 manage ssl
>> unset interface ethernet0/3 manage web
>> set interface ethernet0/0 dhcp server service
>> set interface ethernet0/0 dhcp server enable
>> set interface ethernet0/0 dhcp server option lease 1440000
>> set interface ethernet0/0 dhcp server ip 192.168.1.200 to 192.168.1.250
>> set interface ethernet0/0 dhcp server config next-server-ip
>> unset interface ethernet0/0 dhcp server config updatable
>> unset flow no-tcp-seq-check
>> set flow tcp-syn-check
>> unset flow tcp-syn-bit-check
>> set flow reverse-route clear-text prefer
>> set flow reverse-route tunnel always
>> set domain zte.com.cn <http://zte.com.cn>
>>
>> set pki authority default cert-status revocation-check none
>> set pki authority default scep mode "auto"
>> set pki x509 default cert-path partial
>> set pki x509 dn country-name "CN"
>> set pki x509 dn local-name "SZ"
>> set pki x509 dn org-name "JUNIPER lmt"
>> set pki x509 dn org-unit-name "OMS"
>> set pki x509 dn name "ssg550m"
>> set pki x509 dn email ssg550m at juniper.com <mailto:ssg550m at juniper.com>
>>
>> set pki x509 dn ip 172.19.2.199
>> set pki x509 default send-to "david.morris at juniper.com
>> <mailto:david.morris at juniper.com>"
>>
>> set pki x509 default crl-refresh "daily"
>> set pki x509 cert-fqdn ssg550m.juniper.com.cn
>> <http://ssg550m.juniper.com.cn>
>>
>> set dns host dns1 172.19.2.189 src-interface ethernet0/2
>> set dns host dns2 0.0.0.0
>> set dns host dns3 0.0.0.0
>> set address "Trust" "10.1.0.0/16 <http://10.1.0.0/16>" 10.1.0.0
>> 255.255.0.0
>> set address "Trust" "10.10.1.0/24 <http://10.10.1.0/24>" 10.10.1.0
>> 255.255.255.0
>> set address "Trust" "192.168.52.0/24 <http://192.168.52.0/24>"
>>
>> 192.168.52.0 255.255.255.0
>> set address "Trust" "PBR-NB-intranet" 192.168.1.0 255.255.255.0
>> set address "Untrust" "0.0.0.0/0 <http://0.0.0.0/0>" 0.0.0.0 0.0.0.0
>> set address "Untrust" "192.168.52.250/24 <http://192.168.52.250/24>"
>>
>> 192.168.52.250 255.255.255.0
>> set user "PBR-USR00" uid 4
>> set user "PBR-USR00" ike-id u-fqdn pbr at juniper.com
>> <mailto:pbr at juniper.com> share-limit 1
>>
>> set user "PBR-USR00" type ike
>> set user "PBR-USR00" "enable"
>> set ike gateway ikev2 "PBR-seGW00" dialup "PBR-USR00" outgoing-interface
>> "ethernet0/2" preshare "D2hjHzq+NQYEm8sqF4CL8G1aOznYgJ+iHQ==" proposal
>> "pre-g2-3des-sha"
>> unset ike gateway ikev2 "PBR-seGW00" nat-traversal
>> set ike respond-bad-spi 1
>> set ike gateway ikev2 "PBR-seGW00" auth-method self preshare peer preshare
>> set ike ikev2 ike-sa-soft-lifetime 60
>> unset ike ikeid-enumeration
>> unset ike dos-protection
>> unset ipsec access-session enable
>> set ipsec access-session maximum 5000
>> set ipsec access-session upper-threshold 0
>> set ipsec access-session lower-threshold 0
>> set ipsec access-session dead-p2-sa-timeout 0
>> unset ipsec access-session log-error
>> unset ipsec access-session info-exch-connected
>> unset ipsec access-session use-error-log
>> set vpn "PBR-IKE00" gateway "PBR-seGW00" no-replay tunnel idletime 0
>> proposal "nopfs-esp-3des-sha"
>> set vpn "PBR-IKE00" monitor
>> set vrouter "untrust-vr"
>> exit
>> set vrouter "trust-vr"
>> exit
>> set url protocol websense
>> exit
>> set vpn "PBR-IKE00" proxy-id local-ip 192.168.1.0/24
>> <http://192.168.1.0/24> remote-ip 255.255.255.255/32
>> <http://255.255.255.255/32> "ANY"
>>
>> set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN"
>> "PBR-NB-intranet" "ANY" nat src tunnel vpn "PBR-IKE00" id 0x1 log
>> set policy id 1
>> exit
>> set policy id 2 from "Trust" to "Untrust" "PBR-NB-intranet" "Any" "ANY"
>> permit
>> set policy id 2
>> exit
>> set nsmgmt bulkcli reboot-timeout 60
>> set ssh version v2
>> set config lock timeout 5
>> unset license-key auto-update
>> set snmp port listen 161
>> set snmp port trap 162
>> set vrouter "untrust-vr"
>> set router-id 192.168.1.9
>> exit
>> set vrouter "trust-vr"
>> set router-id 192.168.1.1
>> unset add-default-route
>> set route 172.19.2.0/24 <http://172.19.2.0/24> interface tunnel.1
>>
>> set action-group name VR2
>> exit
>> set vrouter "untrust-vr"
>> exit
>> set vrouter "trust-vr"
>> exit
>> please help me check the root cause of this issue. thanks.
>> Best Regards,
>> David.morris
>>
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100918/e323b75c/attachment.html>
More information about the Users
mailing list