[strongSwan] Interoperate with Juniper SSG 550M failed
Groebl, Laurence (Laurence)
laurence.groebl at alcatel-lucent.com
Wed Sep 29 13:51:03 CEST 2010
hi David,
did you configure the Juniper SSG 550 following the instruction page 22 of the Juniper document "Concepts & Examples ScreenOS 6.3 Reference Guide (section "Example: Configuring IRAC and IRAS to Get an IP Address from a Local and External Databases"?)
<http://www-jnet.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf>http://www-jnet.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_<http://www-jnet.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf>VPN.pdf
Best regards,
Laurence
________________________________
From: users-bounces+laurence.groebl=alcatel-lucent.com at lists.strongswan.org [mailto:users-bounces+laurence.groebl=alcatel-lucent.com at lists.strongswan.org] On Behalf Of David Deng
Sent: Samstag, 18. September 2010 17:26
To: Andreas Steffen
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Interoperate with Juniper SSG 550M failed
Hi Andreas,
Thank you for your prompt repsonse! when I added the following item:
leftsourceip=%config
and can be see one payload [CP] will be added into the message, but it seems that Juniper SSG 550M can not handle this CP payload and the procedure can not be completed.
Therefore, I don't sure if this issue caused by this unset configuration items. please help to check further, thanks again!
Best wishes,
david morris
2010/9/18 Andreas Steffen <andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>>
Hi David,
I you want the Juniper SSG 550M to allocate an inner IP address,
then you must specify
leftsourceip=%config
in the conn FAP0 definition. As always a strongSwan log would
help in identifying any connection setup problems.
Best regards
Andreas
On 09/18/2010 08:04 AM, David Deng wrote:
Hi Martin, Hi All,
I configured strongswan with following items and tried to interoperate
with Juniper SSG 550M, but I found no inner IP can be allocated from
Juniper SSG 550M and the link always indicated as "down" while the SA
status was "Active".
THE CONFIGURATION of STRONGSWAN is:
1) IPSEC.CONF
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ike=3des-sha1-modp1024!
esp=3des-sha1!
ikelifetime=1440m
keylife=24m
rekeymargin=3m
keyingtries=%forever
reauth=no
keyexchange=ikev2
pfs=yes
authby=secret
conn FAP0
left=172.19.2.169
leftid=pbr at juniper.com<mailto:pbr at juniper.com>
leftfirewall=yes
right=172.19.2.199
rightsubnet=0.0.0.0/0<http://0.0.0.0/0>
auto=add
2) ipsec.secrets
# /etc/ipsec.secrets - strongswan IPsec secrets file
pbr at juniper.com<mailto:pbr at juniper.com> : PSK PBRVPN0
IN JUNIPER SSG 550
1) I create one dailup user and configure the gateway and IKE with
authenticate as PSK and IKEv2 used. and then I configure one policy for it.
2) configuration of Juniper SSG 550 listed as followed:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Trust"
set interface "tunnel.1" zone "Trust"
set interface ethernet0/0 ip 192.168.1.1/24<http://192.168.1.1/24> <http://192.168.1.1/24>
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.52.253/24<http://192.168.52.253/24> <http://192.168.52.253/24>
set interface ethernet0/1 nat
set interface ethernet0/2 ip 172.19.2.199/24<http://172.19.2.199/24> <http://172.19.2.199/24>
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.168.54.253/24<http://192.168.54.253/24> <http://192.168.54.253/24>
set interface ethernet0/3 nat
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface ethernet0/2 bandwidth egress mbw 5000 ingress mbw 5000
set interface tunnel.1 mtu 1500
set interface "ethernet0/1" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/1 manage ident-reset
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
unset interface ethernet0/3 manage ssh
unset interface ethernet0/3 manage telnet
unset interface ethernet0/3 manage snmp
unset interface ethernet0/3 manage ssl
unset interface ethernet0/3 manage web
set interface ethernet0/0 dhcp server service
set interface ethernet0/0 dhcp server enable
set interface ethernet0/0 dhcp server option lease 1440000
set interface ethernet0/0 dhcp server ip 192.168.1.200 to 192.168.1.250
set interface ethernet0/0 dhcp server config next-server-ip
unset interface ethernet0/0 dhcp server config updatable
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain zte.com.cn<http://zte.com.cn/> <http://zte.com.cn<http://zte.com.cn/>>
set pki authority default cert-status revocation-check none
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn country-name "CN"
set pki x509 dn local-name "SZ"
set pki x509 dn org-name "JUNIPER lmt"
set pki x509 dn org-unit-name "OMS"
set pki x509 dn name "ssg550m"
set pki x509 dn email ssg550m at juniper.com<mailto:ssg550m at juniper.com> <mailto:ssg550m at juniper.com<mailto:ssg550m at juniper.com>>
set pki x509 dn ip 172.19.2.199
set pki x509 default send-to "david.morris at juniper.com<mailto:david.morris at juniper.com>
<mailto:david.morris at juniper.com<mailto:david.morris at juniper.com>>"
set pki x509 default crl-refresh "daily"
set pki x509 cert-fqdn ssg550m.juniper.com.cn<http://ssg550m.juniper.com.cn/>
<http://ssg550m.juniper.com.cn<http://ssg550m.juniper.com.cn/>>
set dns host dns1 172.19.2.189 src-interface ethernet0/2
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "10.1.0.0/16<http://10.1.0.0/16> <http://10.1.0.0/16>" 10.1.0.0 255.255.0.0
set address "Trust" "10.10.1.0/24<http://10.10.1.0/24> <http://10.10.1.0/24>" 10.10.1.0
255.255.255.0
set address "Trust" "192.168.52.0/24<http://192.168.52.0/24> <http://192.168.52.0/24>"
192.168.52.0 255.255.255.0
set address "Trust" "PBR-NB-intranet" 192.168.1.0 255.255.255.0
set address "Untrust" "0.0.0.0/0<http://0.0.0.0/0> <http://0.0.0.0/0>" 0.0.0.0 0.0.0.0
set address "Untrust" "192.168.52.250/24<http://192.168.52.250/24> <http://192.168.52.250/24>"
192.168.52.250 255.255.255.0
set user "PBR-USR00" uid 4
set user "PBR-USR00" ike-id u-fqdn pbr at juniper.com<mailto:pbr at juniper.com>
<mailto:pbr at juniper.com<mailto:pbr at juniper.com>> share-limit 1
set user "PBR-USR00" type ike
set user "PBR-USR00" "enable"
set ike gateway ikev2 "PBR-seGW00" dialup "PBR-USR00" outgoing-interface
"ethernet0/2" preshare "D2hjHzq+NQYEm8sqF4CL8G1aOznYgJ+iHQ==" proposal
"pre-g2-3des-sha"
unset ike gateway ikev2 "PBR-seGW00" nat-traversal
set ike respond-bad-spi 1
set ike gateway ikev2 "PBR-seGW00" auth-method self preshare peer preshare
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "PBR-IKE00" gateway "PBR-seGW00" no-replay tunnel idletime 0
proposal "nopfs-esp-3des-sha"
set vpn "PBR-IKE00" monitor
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set vpn "PBR-IKE00" proxy-id local-ip 192.168.1.0/24<http://192.168.1.0/24>
<http://192.168.1.0/24> remote-ip 255.255.255.255/32<http://255.255.255.255/32>
<http://255.255.255.255/32> "ANY"
set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN"
"PBR-NB-intranet" "ANY" nat src tunnel vpn "PBR-IKE00" id 0x1 log
set policy id 1
exit
set policy id 2 from "Trust" to "Untrust" "PBR-NB-intranet" "Any" "ANY"
permit
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set router-id 192.168.1.9
exit
set vrouter "trust-vr"
set router-id 192.168.1.1
unset add-default-route
set route 172.19.2.0/24<http://172.19.2.0/24> <http://172.19.2.0/24> interface tunnel.1
set action-group name VR2
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
please help me check the root cause of this issue. thanks.
Best Regards,
David.morris
======================================================================
Andreas Steffen andreas.steffen at strongswan.org<mailto:andreas.steffen at strongswan.org>
strongSwan - the Linux VPN Solution! www.strongswan.org<http://www.strongswan.org/>
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100929/e055c143/attachment.html>
More information about the Users
mailing list