[strongSwan] Config problem when second gateway is netscreen SSG5 device
Vikas Aggarwal
vik.reck at gmail.com
Thu Jun 6 11:12:19 CEST 2013
Hello ,
I am new to strongswan and Juniper Netscreen SSG5 . Trying to setup VPN
IPSec ESP tunnel as described below. Please help me resolve problem with
my configuration.
1) IPSec Gateway 1
Hardware version: 710
Software version: 6.1.0r5.0
2) IPSec Gateway 2 running
Linux 2.6.32. Strongswan
3) Setup Diagram :
(Remote Host)---(linux-GW1-strongswan)==UNTRUSTED==(0/0 netscreen GW2
0/3)---(Local Host)
(10.1.0.10)-----(10.1.0.1 , 192.168.0.1/24)======(192.168.0.2/24,
10.2.0.1)---(10.2.0.10)
Set Netscreen SSG5 device to factory default settings.
First tried to setup SSG5 using wizard as follows
4) Went to Network->interfaces->list and found that
ethernet0/3 in "bgroup0" and in "Zone TRUST" but cannot assign IP
address
5) From Wizards->Switch Port moved ethernet0/3 to "Not in Bgroup"
6) For ethernet0/3 - Changed "Zone Name" to Trust and assigned IP
10.2.0.10/24
7) ethernet0/0 is already in Zone Untrust - assigned 192.168.0.1/24
8) Using VPN Wizard -
Zones - Local site: Trust , Remote Site: Untrust
Make a new Tunnel interface.
Bind to unnumbered interface ethernet0/0
(trust-vr)
LAN-to-LAN VPN tunnel
Local & remote Gateway IP address types
local static IP <-> Remote Static IP
Outgoing interface etherne0/0
Remote gatway IP address : 192.168.0.1
Preshared Secret for this tunnel : "juniper"
Local Host Address : 10.2.0.10
Remote Host Address : 10.1.0.10
Service: ANY , Policy Created for: Both
Direction
Enable Logging
Schedule: None
9) Using netscreen CLI -
"set ike accept-all-proposal"
10) On linux gateway strongswan.conf
charon {
load = aes des sha1 sha2 md5 gmp random nonce hmac stroke
kernel-netlink socket-default updown
multiple_authentication = no
}
11) ipsec.conf
cat ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
conn host-host
left=192.168.0.1
authby=secret
leftid=192.168.0.1
right=192.168.0.2
rightid=192.168.0.2
type=transport
auto=add
conn net-net
left=192.168.0.1
leftsubnet=10.1.0.0/16
leftid=192.168.0.1
right=192.168.0.2
rightsubnet=10.2.0.0/16
rightid=192.168.0.2
auto=route
12) cat ipsec.secrets
: PSK "juniper"
13) Then Sent ping from remote host. GW1 strongswan triggered IKE
14) But IKE negotiation fails. Netscreen has following in its log.
sun-> get event
Total event entries = 948
Date Time Module Level Type Description
2013-05-24 05:27:41 system info 00536 IKE 192.168.0.1 Phase 2 msg ID
93417de2: Negotiations have failed.
2013-05-24 05:27:41 system info 00536 Rejected an IKE packet on ethernet0/0
from 192.168.0.1:500 to 192.168.0.2:
500 with cookies c2f82805f5e7033f and
e67f479f2b77804b because The peer
sent
a proxy ID that did not match the one
in the SA config
Questions:
What is the meaning of proxy ID?
Where in strongswan configuration
should I make changes to so that netscreen does'nt complain about
proxy ID ?
regards
vikas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130606/1a8ffd54/attachment.html>
More information about the Users
mailing list