Greetings,
I am trying to configure VPN with Juniper ssg20 and the netscreen remote app. Had a few queries regarding the same caz the one i setup seems to time out and not successful.
I want the vpn to terminate in the untrust zone and then use policy untrust-trust to route traffic.
When i create a tunnel interface, should i bind it to untrust(trust-vr) or the untrust(tun) zone.
Also what is the difference between ike and xauth. I have gone through the documentation given on the juniper forum for creating the dialup vpn and it says to create two users. one for IKE and other for xauth and place them in separate groups.Also does the policy that i select for authentication(des or md5 etc) decide how easy it is to negotiate and establish the connection.
this is what i followed :
http://www.juniperforum.co
any guidance on this is greately appreciated.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
is a group necessary for the ike user , if i am to have that configured on all the user terminals that are here in the company.
also could you provide some insight into whether it is possible to have this integrated to active directory for xauth user account, so that users can have the same password all across.
i will post the logs from netscreen and the ssg20 as soon as possible.
this is what i got on the log for netscreen remote :
8-18: 13:52:36.656 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=194.172.162.62)
8-18: 13:52:36.672 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
8-18: 13:52:52.537 My Connections\New Connection - message not received! Retransmitting!
8-18: 13:52:52.537 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM (Retransmission)
8-18: 13:53:07.740 My Connections\New Connection - message not received! Retransmitting!
8-18: 13:53:07.740 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM (Retransmission)
8-18: 13:53:22.950 My Connections\New Connection - message not received! Retransmitting!
8-18: 13:53:22.950 My Connections\New Connection - SENDING>>>> ISAKMP OAK MM (Retransmission)
8-18: 13:53:38.160 My Connections\New Connection - Exceeded 3 IKE SA negotiation attempts
which i suppose is that the firewall on the other end is not receiving the incoming traffic. looks like the p1 proposal itself is not happening properly. on the ssg20, what i saw is this :
IKE 0.0.0.0 Phase 2: No policy exists for the proxy ID received: local ID (192.168.100.0/255.255.255
sorry, dont have much clue about these things. first time that i laid my hands on these.
please let me know if you need anything in particular which would enable you to fiigure out what exactly is going wrong.
Sorry for the late answer!
You can use a dummy email address, no problems!
I think there's something more in your logs... from your netscreen remote logs looks like the firewall is not receiving the traffic, or at least not answer the the phase 1 negotiation. But from the firewall logs, it looks like it's hanging at the phase 2, so that's completing phase 1 fine, and it's stuck at phase 2, because it cannot find a policy that allow the encrypted traffic in. Could you double check that the log sent are real? I would however check that you have a policy allowing the dial-up vpn traffic into your network, otherwise the phase 2 won't come up!
About AD integration, your best bet would be to use Internet Authentication Server (or Network Policy Server as it's called in Windows 2008). Basically that's a RADIUS server that integrates in Active Directory, and it's bundled with Windows. You can authenticate the VPN users via the RADIUS protocolo, that will talk to IAS/NPS, that in turn will authenticate via AD.
Better to first sort out the simple things however! ;)
Cheers,
]\/[arco
hi ,
i am gettin the same message.i am posting the config. may be that should help or get some idea as to where it is going wrong.
please advise.
get config
set clock timezone 4
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set vrouter name "dsl-vr" id 1025
unset vrouter "dsl-vr" nsrp-config-sync
set vrouter "dsl-vr"
unset auto-route-export
set preference nhrp 100
set preference ospf-e2 254
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nGCDCDrTH2tOceTAFsJLfZKtq
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "DSL"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "DSL" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DSL"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
unset interface vlan1 ip
set interface ethernet0/0 ip 194.170.162.62/30
set interface ethernet0/0 nat
set interface ethernet0/1 ip 86.98.150.5/32
set interface ethernet0/1 route
set interface bgroup0 ip 192.168.30.254/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface ethernet0/0 proxy dns
set interface bgroup0 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip interface-ip
set interface "ethernet0/0" mip xx.xxx.xx.xxx host 192.168.20.9 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 213.42.20.20 src-interface ethernet0/0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set dns proxy
set dns proxy enable
set dns server-select domain etisalat outgoing-interface ethernet0/0 primary-server 213.42.20.20 failover
set dns ddns
set dns ddns id 1 server-type dyndns refresh-interval 24
set dns ddns id 1 username ramcis password gBGflkDbNXoySPs5vICRbIdI07
set dns ddns id 1 src-interface ethernet0/0 host-name mubadala.dyndns.org
set dns ddns enable
set address "Trust" "192.168.30.0/24" 192.168.30.0 255.255.255.0
set address "Trust" "MIP_ADD" 192.168.30.0 255.255.255.0
set address "Trust" "test" 192.168.30.198 255.255.255.255
set address "Untrust" "0.0.0.0/0.0.0.0" 0.0.0.0 0.0.0.0
set address "Untrust" "192.168.100.0/24" 192.168.100.0 255.255.255.0
set ippool "VPN_POOL" 192.168.100.1 192.168.100.254
set ippool "IP_Pool30" 192.168.30.150 192.168.30.169
set user "it@ict.com" uid 27
set user "it@ict.com" ike-id u-fqdn "it@ict.com" share-limit 15
set user "it@ict.com" type ike
set user "it@ict.com" "enable"
set user "rkamath" uid 28
set user "rkamath" type xauth
set user "rkamath" password "A+tWXwxdNenbdgstF6CS8SXFp
unset user "rkamath" type auth
set user "rkamath" "enable"
set user-group "ras-users" id 12
set user-group "ras-users" user "rkamath"
set user-group "xauth-global" id 11
set user-group "xauth-global" user "it@mip.ae"
set ike p1-proposal "MIP_1" preshare group2 esp aes256 sha-1 hour 8
set ike p2-proposal "MIP_2" no-pfs esp aes256 sha-1 hour 8
set ike gateway "Rameez_GW" dialup "VPN_GP" Aggr outgoing-interface "ethernet0/0" preshare "Qol485wDNdXLgOsN9aCA3/R9E
set ike gateway "Rameez_GW" cert peer-ca-hash 48B76449F3D5FEFA1133AA805E
unset ike gateway "Rameez_GW" nat-traversal
set ike gateway "Rameez_GW" xauth
set ike gateway "Rameez_GW" xauth server auth-method chap pap
unset ike gateway "Rameez_GW" xauth do-edipi-auth
set ike gateway "RAS-GW" dialup "xauth-global" Aggr outgoing-interface "ethernet0/0" preshare "IPplAvgHNC7cVhsmnfCvDAAmW
unset ike gateway "RAS-GW" nat-traversal
set ike gateway "RAS-GW" xauth server "Local" user-group "ras-users"
unset ike gateway "RAS-GW" xauth do-edipi-auth
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "VPN_POOL"
set xauth default dns1 192.168.20.2
set xauth default dns2 213.42.20.20
set xauth default wins1 192.168.20.2
set vpn "Rameez_VPN" gateway "Rameez_GW" no-replay tunnel idletime 0 proposal "MIP_2"
set vpn "Rameez_VPN" id 15 bind interface tunnel.1
set vpn "ras-vpn" gateway "RAS-GW" replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "ras-vpn" id 16 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "dsl-vr"
exit
set l2tp "tunnel group" id 1 outgoing-interface ethernet0/0 secret "abc12345678" keepalive 60
set l2tp "tunnel group" auth server "Local"
set url protocol websense
exit
set vpn "Rameez_VPN" proxy-id local-ip 192.168.0.0/16 remote-ip 255.255.255.255/32 "ANY"
set vpn "ras-vpn" proxy-id local-ip 192.168.20.0/24 remote-ip 255.255.255.255/32 "ANY"
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
set log session-init
exit
set policy id 5 name "Rameez_Pol" from "Untrust" to "Trust" "192.168.100.0/24" "Any" "ANY" permit log
set policy id 5
set log session-init
exit
set policy id 6 name "Exchange" from "Untrust" to "Trust" "Any" "MIP(83.111.44.250)" "HTTPS" permit log
set policy id 6
set service "SMTP"
exit
set pppoe name "test"
set pppoe name "test" username "mipl" password "13jhlxkiNJQs1ussKkCng8ymX
set pppoe name "test" default-route-metric 10
set pppoe name "untrust"
set pppoe name "untrust" idle 0
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.10.0/24 interface bgroup0 gateway 192.168.30.1 preference 20 permanent
set route 192.168.20.0/24 interface bgroup0 gateway 192.168.30.1 preference 20
set route 0.0.0.0/0 interface ethernet0/0 gateway 194.170.162.61 preference 20 permanent
set route 192.168.100.0/24 interface tunnel.1 preference 20
set access-list extended 30 src-ip 192.168.20.0/24 dst-ip 0.0.0.0/0 protocol any entry 10
set match-group name NET20-MG
set match-group NET20-MG ext-acl 30 match-entry 10
set action-group name NET20-AG
set action-group NET20-AG next-interface ethernet0/0 action-entry 10
set pbr policy name NET20-Pol
set pbr policy NET20-Pol match-group NET20-MG action-group NET20-AG 10
exit
set vrouter "dsl-vr"
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "dsl-vr"
exit
Hi,
sorry for the late response!
I'd suggest to have a deeper look in your logs. It's not possible that Netscreen remote is logging that no one answers to its Phase1 packets, while your Firewall says that cannot go past Phase2. This is not consistent and cannot happen! Also in your config I can see a setup for one dial up ipsec vpn, one point to point ipsec vpn and one point to point l2tp vpn, that could confuse, probably the logs on the firewall you're quoting are for the point to point vpn, not the dial up one! Are you sure that in netscreen remote you're using the right ike identifier (that should be it@ict.com in you configuration?)
If you can provide screenshots of the netscreen remote configuration that would be fine!
Cheers,
]\/[arco
sorry not been chking this for a while.
can someone provide me simple steps, preferably with screenshots if possible about how to configure a simple vpn using ssg20 and netscreen remote. the ip address for the vpn, does that have to be a public ip?i need to delete all the configurations that were made and all the messup that was created. please help
This is the current log in the firewalll that i get. i have followed the article that was there in the juniper knowledgebase
http://kb.juniper.net/KB62
2009-09-06 14:37:41 info Rejected an IKE packet on ethernet0/0 from 86.96.21.243:500 to 194.170.162.62:500 with cookies 89246e1b355fabfa and cf0c750d7f9a93d6 because There were no acceptable Phase 1 proposals.
2009-09-06 14:37:41 info IKE 86.96.21.243 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2009-09-06 14:36:31 info Rejected an IKE packet on ethernet0/0 from 86.96.21.243:500 to 194.170.162.62:500 with cookies 68a7e29576301d76 and 0776fbfd3cb80fc5 because There were no acceptable Phase 1 proposals.
2009-09-06 14:36:31 info IKE 86.96.21.243 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2009-09-06 14:36:07 info Rejected an IKE packet on ethernet0/0 from 86.96.21.243:500 to 194.170.162.62:500 with cookies 93657bbad7e685a0 and 895c2f1fa8c0e0a5 because There were no acceptable Phase 1 proposals.
2009-09-06 14:36:07 info IKE 86.96.21.243 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2009-09-06 14:34:56 info Rejected an IKE packet on ethernet0/0 from 217.165.1.22:500 to 194.170.162.62:500 with cookies 9c9ec7de60aacbfe and 8a89855ad7bd1e22 because There were no acceptable Phase 1 proposals.
2009-09-06 14:34:56 info IKE 217.165.1.22 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2009-09-06 14:34:56 info Rejected an IKE packet on ethernet0/0 from 217.165.1.22:500 to 194.170.162.62:500 with cookies f0afd8b427a94014 and 688c75ef3030cb99 because There were no acceptable Phase 1 proposals.
2009-09-06 14:34:56 info IKE 217.165.1.22 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2009-09-06 14:34:55 info Rejected an IKE packet on ethernet0/0 from 217.165.1.22:500 to 194.170.162.62:500 with cookies ff5e4f1fcee853ec and eb5279eec14fc27e because There were no acceptable Phase 1 proposals.
2009-09-06 14:34:55 info IKE 217.165.1.22 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2009-09-06 14:34:54 info Rejected an IKE packet on ethernet0/0 from 217.165.1.22:500 to 194.170.162.62:500 with cookies 06fae59645832bb9 and d0574907ef838d00 because There were no acceptable Phase 1 proposals.
2009-09-06 14:34:54 info IKE 217.165.1.22 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2009-09-06 14:34:52 info Rejected an IKE packet on ethernet0/0 from 217.165.1.22:500 to 194.170.162.62:500 with cookies c722b56e6912141c and 99b681e7586c0574 because There were no acceptable Phase 1 proposals.
2009-09-06 14:34:52 info IKE 217.165.1.22 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2009-09-06 14:34:52 info Rejected an IKE packet on ethernet0/0 from 217.165.1.22:500 to 194.170.162.62:500 with cookies 9ea4bb371df5148a and ec8d289d69730d3e because There were no acceptable Phase 1 proposals.
2009-09-06 14:34:52 info IKE 217.165.1.22 Phase 1: Responder starts AGGRESSIVE mode negotiations.
the log viewer on the netscreen remote shows me the following message
9-06: 14:06:15.897
9-06: 14:06:15.897 My Connections\corporate - Initiating IKE Phase 1 (IP ADDR=194.170.162.62)
9-06: 14:06:16.100 My Connections\corporate - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
9-06: 14:06:16.131 My Connections\corporate - RECEIVED<<< ISAKMP OAK INFO (NOTIFY:NO_PROPOSAL_CHOSEN
9-06: 14:06:16.131 My Connections\corporate - Discarding IKE SA negotiation
please advise
ok fixed that one. a wrong encryption chosen for phase1. got a new message for phase 2.
9-06: 14:13:38.215
9-06: 14:13:38.215 My Connections\corporate - Initiating IKE Phase 1 (IP ADDR=194.170.162.62)
9-06: 14:13:38.387 My Connections\corporate - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
9-06: 14:13:38.731 My Connections\corporate - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH)
9-06: 14:13:38.731 My Connections\corporate - Peer supports Dead Peer Detection Version 1.0
9-06: 14:13:38.731 My Connections\corporate - Dead Peer Detection enabled
9-06: 14:13:38.793 My Connections\corporate - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_REPLAY_STATU
9-06: 14:13:38.793 My Connections\corporate - Established IKE SA
9-06: 14:13:38.793 My Connections\corporate - MY COOKIE ca 11 4 45 d4 4d 17 2b
9-06: 14:13:38.793 My Connections\corporate - HIS COOKIE 27 d a ba 9d 17 27 67
9-06: 14:13:38.934 My Connections\corporate - Initiating IKE Phase 2 with Client IDs (message id: 88104D6D)
9-06: 14:13:38.934 My Connections\corporate - Initiator = IP ADDR=86.96.0.151, prot = 0 port = 0
9-06: 14:13:38.934 My Connections\corporate - Responder = IP SUBNET/MASK=192.168.20.0/2
9-06: 14:13:38.934 My Connections\corporate - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
9-06: 14:13:54.449 My Connections\corporate - QM re-keying timed out. Retry count: 1
9-06: 14:13:54.449 My Connections\corporate - SENDING>>>> ISAKMP OAK QM *(Retransmission)
9-06: 14:14:09.449 My Connections\corporate - QM re-keying timed out. Retry count: 2
9-06: 14:14:09.449 My Connections\corporate - SENDING>>>> ISAKMP OAK QM *(Retransmission)
9-06: 14:14:24.449 My Connections\corporate - QM re-keying timed out. Retry count: 3
9-06: 14:14:24.449 My Connections\corporate - SENDING>>>> ISAKMP OAK QM *(Retransmission)
9-06: 14:14:39.449 My Connections\corporate - Exceeded 3 attempts (message id: 88104D6D)
9-06: 14:14:39.449 My Connections\corporate - Disconnecting IKE SA negotiation
9-06: 14:14:39.449 My Connections\corporate - Deleting IKE SA (IP ADDR=194.170.162.62)
9-06: 14:14:39.449 My Connections\corporate - MY COOKIE ca 11 4 45 d4 4d 17 2b
9-06: 14:14:39.449 My Connections\corporate - HIS COOKIE 27 d a ba 9d 17 27 67
9-06: 14:14:39.449 My Connections\corporate - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
allright.i got this far. the vpn shows as successfully connected without any errors. but i am not getting to access any of the local resources. can someone please advise. i am almost done with this headache and should be able to sit and fine tune it once it starts working.this is the log in the firewall.
IKE 86.96.21.8 Phase 2 msg ID 92b50b8b: Completed negotiations with SPI b640cfbb, tunnel ID 32770, and lifetime 3600 seconds/0 KB.
2009-09-06 15:55:11 info IKE 86.96.21.8 Phase 2 msg ID 92b50b8b: Responded to the peer's first message.
2009-09-06 15:55:10 info IKE 86.96.21.8: Received initial contact notification and removed Phase 1 SAs.
2009-09-06 15:55:10 info IKE 86.96.21.8 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2009-09-06 15:55:10 info IKE 86.96.21.8 Phase 1: Completed for user user1.
2009-09-06 15:55:10 info IKE 86.96.21.8: Received initial contact notification and removed Phase 2 SAs.
2009-09-06 15:55:10 info IKE 86.96.21.8: Received a notification message for DOI 1 24578 INITIAL-CONTACT.
2009-09-06 15:55:10 info IKE 86.96.21.8: Received a notification message for DOI 1 24577 REPLAY-STATUS.
2009-09-06 15:55:10 info IKE 86.96.21.8 Phase 1: Responder starts AGGRESSIVE mode negotiations.
Hi JunaidIT,
sorry for being late, I really missed you followup of 1st September!
You've almost done everything, well done! When you say that you cannot access local resource, you mean the remote one right? I mean, the resources from the other side of the vpn? Are you able to at least ping the remote hosts? Have you enabled all ports in the policy that references this dialup vpn? If you're trying to access resources via their name, remember that you have to setup the dns either on the xauth settings, or locally on the client!
Cheers,
]\/[arco
Ok so you could enable logging in the rule that referenceses your vpn policy, this way you know if the packets are going thru, or if they're getting blocked before. Are you letting all the needed services in the policy, AND in the netscreen remote? To begin you could use any in both the service policy and in the netscreen remote, you can then open just the required ports later! Also is the routing ok? Is the IP you're using in Xauth reachable from the remote network?
Cheers,
]\/[arco
there is some messup with the routing i guess.i dont seem to get any logs on the policy which was created. what i did was i created a destination route with no gateway and selected the tunnel interface. the ip.netmask is the ip pool that was defined for the vpn connection. policy tht is created is \
from untrust/dialup vpn --destination--192.168.*.*
if i could get this sorted out , then hopefully my vpn should work.
kindly advise
Uhm... in netscreen remote what do you have in "Remote Party Identity and Addressing"? You should have IP Subnet as IP type, and the subnet and mask you're referencing the rule above. This way you're sure that you're actually sending traffic thru the tunnel when trying to ping the hosts referenced there.
Can it be possible that you still have a previuos vpn defined, that's matching the traffic, instead of the policy you're quoting above?
Cheers,
]\/[arco
Business Accounts
Answer for Membership
by: marmata75Posted on 2009-08-19 at 00:11:33ID: 25130196
Hi,
so you tried to config the vpn but your netscreen remote cannot connect?
Could you please post the log from the netscreen remote and the event log from the ssg20 when you try to connect?
The most common errors are the shared key/identity not being the same, the phase 1 and phase 2 encription modes not being equale (that 3des/des/aes thing), not choosing 'extended authentication' in the netscreen remote, when you're using xauth.
About ike and xauth, basically an ike user is identified by their name (usually an email address) and by a preshared key. An xauth user is identified by his username and a password. You'd use the first to complete the phase 1 of the vpn (so that every user can share the same ike id, so can use the same profile in netscreen remote), and second to complete the phase 2 (netscreen remote will then ask for username and password, and those would be the one frmo xauth). xauth also allows to give your users different ip addresses on the vpn depending on the login, in case you need it.
Cheers,
]\/[arco