jimcho74
asked on
Need help configuring VPN access Netscreen NS5XP firewall/VPn
Hi guys..
I have Netscreen ns5xp firewall/vpn in the office with verizon business DSL static ip address.
I want to connect home to office using VPN.
could anyone give me step by step how to connect from my work - NS5xp to
Home computer?
At home i have just plain Verizon dsl with static ip address.
I'm new at this vpn and i did look up the juniper's support website and i did do what it said and i still can't get in.
http://kb.juniper.net/CUSTOMERSERVICE/KB4528
Thanks guys..
I have Netscreen ns5xp firewall/vpn in the office with verizon business DSL static ip address.
I want to connect home to office using VPN.
could anyone give me step by step how to connect from my work - NS5xp to
Home computer?
At home i have just plain Verizon dsl with static ip address.
I'm new at this vpn and i did look up the juniper's support website and i did do what it said and i still can't get in.
http://kb.juniper.net/CUSTOMERSERVICE/KB4528
Thanks guys..
ASKER
Thanks for your help...
At home i have long lease DHCP i don't have static ip address.
At home i'm using Netscreen Remote software from Netscreen.
At office i'm using Netscreen ns5xp firewall/vpn hardware.
Thanks alot for your help....
At home i have long lease DHCP i don't have static ip address.
At home i'm using Netscreen Remote software from Netscreen.
At office i'm using Netscreen ns5xp firewall/vpn hardware.
Thanks alot for your help....
what screen os are you running, and version of NSR? using windows xp?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did ya get it going ok?
I use NSR here too a bunch of NS's so if you hit any problems let me know.
Tx for da pointz!
Jim
I use NSR here too a bunch of NS's so if you hit any problems let me know.
Tx for da pointz!
Jim
ASKER
I did what you said above.
and i can't connect to the vpn at all.
I check the log and it said
Initiating IKE Phase 1 (IP ADDR=xx.xx.xxx.xx =IP to vpn box)se
sending >>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
Message not received Retransmitting !
SENDING >>>> ISAKMP OAK AG (Retransmission)
Disconnecting IKE SA negotiation
and it repeat this same log 2 more times and its telling me
Couln't connect to xxxx
Do you have a really easy way to setup vpn step by step for dummys??
I have to get this done and i'm lost... Help Jim.....
Thanks for your support...
and i can't connect to the vpn at all.
I check the log and it said
Initiating IKE Phase 1 (IP ADDR=xx.xx.xxx.xx =IP to vpn box)se
sending >>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
Message not received Retransmitting !
SENDING >>>> ISAKMP OAK AG (Retransmission)
Disconnecting IKE SA negotiation
and it repeat this same log 2 more times and its telling me
Couln't connect to xxxx
Do you have a really easy way to setup vpn step by step for dummys??
I have to get this done and i'm lost... Help Jim.....
Thanks for your support...
Sure will help you, give me a few minutes to detail it out for you.
First go to your Users, and Local, and create a new user. lets say "Jim"
make sure status is enable,
check IKE user,
and simple Identity,
ike id type auto, ike identiy = "Jim@jim.com" or whatever.
and click ok
Next go to your Gateways, create a new gateway.
Gateway name Jimgate
click dialup user, and choose the user from the dropdown you already created.
and put in your preshare of lets say "netscreen"
click advanced, and change the topleft phase 1 proposal to pre-g1-des-sha (or whateve ryou wish, any pre-gX-des sha will be fine, i use G5.)
click return and ok.
next go to your ike. create a new.
give it a good name like jimsike :)
your using a predefined gateway, of Jimgate
click advanced, the top left dropdown for p2 prop change to nopfs-esp-des-sha or whichever p2 you want to use.
return and ok.
ok now go to your policies.
from untrust -to trust new
source address will be your dialup VPN
destination address, which ever objects on the trusted side of the VPN or the VPN it'self your trying to access.
these should already be created under objects or you can create them here.
action tunnel
tunnel = jimsike
modify bidirectionaly policy if the trust side can initiate to you... probably not needed.
positon it at top, or you can manually move it closer to the top after creation.
click ok.
open your NSR
new connection.
remote party identity and addressing. are you connecting to a subnet or a specific host?
let's assume a specific host.
ID type = IP address
box below the pulldown input the host your connecting to.
protocol all (this can be anything, the device will moderate the ports etc nsr doesn't need to)
click connect using, secure gateway tunnel
Id type ip address
box below pull down give the IP of the external side of the VPN.
open the +
go to security, check aggressive ( although this can be main, use aggressive at first it forms easier)
go to My identity.
change ID type to Email address.
box below put in your jim@jim.com
then click pre-shared key and click enter key and put in your preshared pwd of netscreen (or whatever) and click ok
open the + under security and authentication, and make sure your P1 proposal matches that of what you put on the hardware
so authentication_method = preshared key
encryption and data integrity algorithms, = des, sha-1 sa unspecificed. (or whatever used), key group diffehellman group 1 (or whatever used)
open key exchange P2, and make sure it matches the hardware.
sa unspecifiied
compression none
make sure ESP is checked.
and encrypt alg, hash and ecanp matchup with the box.
so..esp is checked, encrypt=des, hash = sha, encap = tunnel.
click save,
yes to reset active connections, and give it a whirl.
the error you are reciving could be for a few reasons, misconfiguration, firewall inbetween etc.
look at the logs on both ends and let me know how it goes.
Jim
make sure status is enable,
check IKE user,
and simple Identity,
ike id type auto, ike identiy = "Jim@jim.com" or whatever.
and click ok
Next go to your Gateways, create a new gateway.
Gateway name Jimgate
click dialup user, and choose the user from the dropdown you already created.
and put in your preshare of lets say "netscreen"
click advanced, and change the topleft phase 1 proposal to pre-g1-des-sha (or whateve ryou wish, any pre-gX-des sha will be fine, i use G5.)
click return and ok.
next go to your ike. create a new.
give it a good name like jimsike :)
your using a predefined gateway, of Jimgate
click advanced, the top left dropdown for p2 prop change to nopfs-esp-des-sha or whichever p2 you want to use.
return and ok.
ok now go to your policies.
from untrust -to trust new
source address will be your dialup VPN
destination address, which ever objects on the trusted side of the VPN or the VPN it'self your trying to access.
these should already be created under objects or you can create them here.
action tunnel
tunnel = jimsike
modify bidirectionaly policy if the trust side can initiate to you... probably not needed.
positon it at top, or you can manually move it closer to the top after creation.
click ok.
open your NSR
new connection.
remote party identity and addressing. are you connecting to a subnet or a specific host?
let's assume a specific host.
ID type = IP address
box below the pulldown input the host your connecting to.
protocol all (this can be anything, the device will moderate the ports etc nsr doesn't need to)
click connect using, secure gateway tunnel
Id type ip address
box below pull down give the IP of the external side of the VPN.
open the +
go to security, check aggressive ( although this can be main, use aggressive at first it forms easier)
go to My identity.
change ID type to Email address.
box below put in your jim@jim.com
then click pre-shared key and click enter key and put in your preshared pwd of netscreen (or whatever) and click ok
open the + under security and authentication, and make sure your P1 proposal matches that of what you put on the hardware
so authentication_method = preshared key
encryption and data integrity algorithms, = des, sha-1 sa unspecificed. (or whatever used), key group diffehellman group 1 (or whatever used)
open key exchange P2, and make sure it matches the hardware.
sa unspecifiied
compression none
make sure ESP is checked.
and encrypt alg, hash and ecanp matchup with the box.
so..esp is checked, encrypt=des, hash = sha, encap = tunnel.
click save,
yes to reset active connections, and give it a whirl.
the error you are reciving could be for a few reasons, misconfiguration, firewall inbetween etc.
look at the logs on both ends and let me know how it goes.
Jim
ASKER
Thanks alot for your kind answer.
I did try all the settings in the vpn box and NSR software.
One thing i got confused in NSR was under new connection remote party Identity and addressing
ID type i put ip address
and ip to the vpn box (office) same as below..
protocol : all
i did check the connecting using secure gateway tunnel.
ID type : IP Address
IP address= ip address for the office
protocol = all
and i saw the log and it said like this..
4-19: 11:48:11.609 My Connections\New Connection - Unable to determine interface address for peer encrypter (home IP) ex.123.456.1.10
4-19: 11:49:05.984
4-19: 11:49:05.984 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=ex. 789.456.123.10) = (Office IP)
4-19: 11:49:06.078 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
4-19: 11:49:06.500 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 2x, KE, NON, ID, HASH)
4-19: 11:49:06.578 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
4-19: 11:49:06.578 My Connections\New Connection - Established IKE SA
4-19: 11:49:06.578 MY COOKIE ef 6a 60 c8 99 a8 ae 99
4-19: 11:49:06.578 HIS COOKIE c8 d8 1b 8b d5 80 b9 a4
4-19: 11:49:06.625 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: E721ACC3)
4-19: 11:49:06.625 Initiator = IP ADDR=(home IP) ex.123.456.1.10., prot = 0 port = 0
4-19: 11:49:06.625 Responder = IP ADDR=(IP ADDR=ex. 789.456.123.10) = (Office IP), prot = 0 port = 0
4-19: 11:49:06.625 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
4-19: 11:49:21.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 1
4-19: 11:49:21.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
4-19: 11:49:36.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 2
4-19: 11:49:36.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
4-19: 11:49:51.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 3
4-19: 11:49:51.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
4-19: 11:50:06.890 My Connections\New Connection - Exceeded 3 re-keying attempts (message id: E721ACC3)
I dont know what this is about..
Is there any easy way to connect to our windows 2003 server ??
I need to connect from home to office servers.
Please look into it for me and help me out with the solution.
Thank you very much...
I did try all the settings in the vpn box and NSR software.
One thing i got confused in NSR was under new connection remote party Identity and addressing
ID type i put ip address
and ip to the vpn box (office) same as below..
protocol : all
i did check the connecting using secure gateway tunnel.
ID type : IP Address
IP address= ip address for the office
protocol = all
and i saw the log and it said like this..
4-19: 11:48:11.609 My Connections\New Connection - Unable to determine interface address for peer encrypter (home IP) ex.123.456.1.10
4-19: 11:49:05.984
4-19: 11:49:05.984 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=ex. 789.456.123.10) = (Office IP)
4-19: 11:49:06.078 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
4-19: 11:49:06.500 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 2x, KE, NON, ID, HASH)
4-19: 11:49:06.578 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
4-19: 11:49:06.578 My Connections\New Connection - Established IKE SA
4-19: 11:49:06.578 MY COOKIE ef 6a 60 c8 99 a8 ae 99
4-19: 11:49:06.578 HIS COOKIE c8 d8 1b 8b d5 80 b9 a4
4-19: 11:49:06.625 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: E721ACC3)
4-19: 11:49:06.625 Initiator = IP ADDR=(home IP) ex.123.456.1.10., prot = 0 port = 0
4-19: 11:49:06.625 Responder = IP ADDR=(IP ADDR=ex. 789.456.123.10) = (Office IP), prot = 0 port = 0
4-19: 11:49:06.625 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
4-19: 11:49:21.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 1
4-19: 11:49:21.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
4-19: 11:49:36.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 2
4-19: 11:49:36.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
4-19: 11:49:51.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 3
4-19: 11:49:51.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
4-19: 11:50:06.890 My Connections\New Connection - Exceeded 3 re-keying attempts (message id: E721ACC3)
I dont know what this is about..
Is there any easy way to connect to our windows 2003 server ??
I need to connect from home to office servers.
Please look into it for me and help me out with the solution.
Thank you very much...
Check this link out.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907cde
Here is an example of one that works.
4-20: 08:27:28.243
4-20: 08:27:28.243 My Connections\RTA_L3_256 - Initiating IKE Phase 1 (IP ADDR=1.1.1.1) = (should be the IP of the remote gateway
4-20: 08:27:28.243 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
4-20: 08:27:28.583 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM (SA, VID 2x)
4-20: 08:27:28.903 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 4x)
4-20: 08:27:29.384 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM (KE, NON)
4-20: 08:27:29.624 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_REPLAY_STATU
4-20: 08:27:29.954 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM *(ID, HASH)
4-20: 08:27:29.954 My Connections\RTA_L3_256 - Established IKE SA
4-20: 08:27:29.954 My Connections\RTA_L3_256 - MY COOKIE 47 b7 d0 b b8 e0 4d b7
4-20: 08:27:29.954 My Connections\RTA_L3_256 - HIS COOKIE 1d a4 7a 32 d 67 b6 fc
4-20: 08:27:30.274 My Connections\RTA_L3_256 - Initiating IKE Phase 2 with Client IDs (message id: 768657BC)
4-20: 08:27:30.274 My Connections\RTA_L3_256 - Initiator = IP ADDR=3.3.3.3, prot = 0 port = 0 =should be your NSR box IP
4-20: 08:27:30.274 My Connections\RTA_L3_256 - Responder = IP ADDR=2.2.2.2, prot = 0 port = 0 =is the ip or subnet of the servers your going to
4-20: 08:27:30.274 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
4-20: 08:27:30.874 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x, NOTIFY:STATUS_RESP_LIFETIM
4-20: 08:27:30.874 My Connections\RTA_L3_256 - Filter entry 56 added: SECURE 3.3.3.3&255.255.255.255 2.2.2.2&255.255.255.255 1.1.1.1
4-20: 08:27:30.874 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK QM *(HASH)
4-20: 08:27:31.104 My Connections\RTA_L3_256 - Loading IPSec SA (Message ID = 768657BC OUTBOUND SPI = 70C56EBC INBOUND SPI = AB835183)
4-20: 08:27:31.104
Here is an example of one timing out. (ie the box isn't plugged in or there is a FW blocking you.)
4-20: 08:44:21.549
4-20: 08:44:21.549 My Connections\CRWWRI1_L2_256
4-20: 08:44:21.579 My Connections\CRWWRI1_L2_256
4-20: 08:44:37.321 My Connections\CRWWRI1_L2_256
4-20: 08:44:37.321 My Connections\CRWWRI1_L2_256
4-20: 08:44:52.344 My Connections\CRWWRI1_L2_256
4-20: 08:44:52.344 My Connections\CRWWRI1_L2_256
4-20: 08:45:07.370 My Connections\CRWWRI1_L2_256
4-20: 08:45:07.370 My Connections\CRWWRI1_L2_256
4-20: 08:45:22.455 My Connections\CRWWRI1_L2_256
If that doesn't get you going let me know, and I will see if I can't build you a policy for NSM, and via CLI for the NS box and post it latter today. Let me know.
Jim
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907cde
Here is an example of one that works.
4-20: 08:27:28.243
4-20: 08:27:28.243 My Connections\RTA_L3_256 - Initiating IKE Phase 1 (IP ADDR=1.1.1.1) = (should be the IP of the remote gateway
4-20: 08:27:28.243 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
4-20: 08:27:28.583 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM (SA, VID 2x)
4-20: 08:27:28.903 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 4x)
4-20: 08:27:29.384 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM (KE, NON)
4-20: 08:27:29.624 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_REPLAY_STATU
4-20: 08:27:29.954 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM *(ID, HASH)
4-20: 08:27:29.954 My Connections\RTA_L3_256 - Established IKE SA
4-20: 08:27:29.954 My Connections\RTA_L3_256 - MY COOKIE 47 b7 d0 b b8 e0 4d b7
4-20: 08:27:29.954 My Connections\RTA_L3_256 - HIS COOKIE 1d a4 7a 32 d 67 b6 fc
4-20: 08:27:30.274 My Connections\RTA_L3_256 - Initiating IKE Phase 2 with Client IDs (message id: 768657BC)
4-20: 08:27:30.274 My Connections\RTA_L3_256 - Initiator = IP ADDR=3.3.3.3, prot = 0 port = 0 =should be your NSR box IP
4-20: 08:27:30.274 My Connections\RTA_L3_256 - Responder = IP ADDR=2.2.2.2, prot = 0 port = 0 =is the ip or subnet of the servers your going to
4-20: 08:27:30.274 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
4-20: 08:27:30.874 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x, NOTIFY:STATUS_RESP_LIFETIM
4-20: 08:27:30.874 My Connections\RTA_L3_256 - Filter entry 56 added: SECURE 3.3.3.3&255.255.255.255 2.2.2.2&255.255.255.255 1.1.1.1
4-20: 08:27:30.874 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK QM *(HASH)
4-20: 08:27:31.104 My Connections\RTA_L3_256 - Loading IPSec SA (Message ID = 768657BC OUTBOUND SPI = 70C56EBC INBOUND SPI = AB835183)
4-20: 08:27:31.104
Here is an example of one timing out. (ie the box isn't plugged in or there is a FW blocking you.)
4-20: 08:44:21.549
4-20: 08:44:21.549 My Connections\CRWWRI1_L2_256
4-20: 08:44:21.579 My Connections\CRWWRI1_L2_256
4-20: 08:44:37.321 My Connections\CRWWRI1_L2_256
4-20: 08:44:37.321 My Connections\CRWWRI1_L2_256
4-20: 08:44:52.344 My Connections\CRWWRI1_L2_256
4-20: 08:44:52.344 My Connections\CRWWRI1_L2_256
4-20: 08:45:07.370 My Connections\CRWWRI1_L2_256
4-20: 08:45:07.370 My Connections\CRWWRI1_L2_256
4-20: 08:45:22.455 My Connections\CRWWRI1_L2_256
If that doesn't get you going let me know, and I will see if I can't build you a policy for NSM, and via CLI for the NS box and post it latter today. Let me know.
Jim
ASKER
Thank you so much Jim...
I finaly got it to connect from home to office.
I could access file server but i'm having trouble accessing company's exchange server.
I could ping the gateway, file server, and exchange server but i can't use outlook to get the e-mail.
But i could ping it.... file server is on 192.168.1.250 = panfil01 = computer name
and exchange server is on 192.168.1.251 = panexch01
Our DNS server is also 192.168.1.251.
If i try to ping instade of ip using ping panexch01 i can't ping it.
and i can't get my e-mail using outlook. outlook is giving error message of
Task microsoft exchange server reported error ( 0x8004011D) : 'the server is not available. Contact your administrator if this condition persists.'
why is this happening??
Do i have to do something to the server...
thanks Jim for your support..
Jimmy
I finaly got it to connect from home to office.
I could access file server but i'm having trouble accessing company's exchange server.
I could ping the gateway, file server, and exchange server but i can't use outlook to get the e-mail.
But i could ping it.... file server is on 192.168.1.250 = panfil01 = computer name
and exchange server is on 192.168.1.251 = panexch01
Our DNS server is also 192.168.1.251.
If i try to ping instade of ip using ping panexch01 i can't ping it.
and i can't get my e-mail using outlook. outlook is giving error message of
Task microsoft exchange server reported error ( 0x8004011D) : 'the server is not available. Contact your administrator if this condition persists.'
why is this happening??
Do i have to do something to the server...
thanks Jim for your support..
Jimmy
ASKER
and office domain is pangaia.local (not internet domain. Just local)
Thanks
Thanks
are you allowing the exchange ports and DNS through the tunnel?
I would turn on logging on all policies, especially your deny's and see what ports are going through.
easy way to see would be ping the mail server, then check mail, then ping the mail server again, to narrow down the logs.
I would turn on logging on all policies, especially your deny's and see what ports are going through.
easy way to see would be ping the mail server, then check mail, then ping the mail server again, to narrow down the logs.
So your NS is at the office with a static IP... lets say 1.1.1.1
your home computer, are you sure it's static or is it long lease DHCP?
If they are both static will make it easy.
What VPN are you using at home? VPN Client or hardware?
VPN client are you using Windows VPN client, or Netscreen Remote or other?
give me that and we'll be off to the races.
Jim