?
Solved

Need help configuring VPN access Netscreen NS5XP firewall/VPn

Posted on 2006-04-17
14
Medium Priority
?
4,837 Views
Last Modified: 2008-03-06
Hi guys..

I have Netscreen ns5xp firewall/vpn in the office with verizon business DSL static ip address.
I want to connect home to office using VPN.
could anyone give me step by step how to connect from my work - NS5xp to
Home computer?
At home i have just plain Verizon dsl with static ip address.
I'm new at this vpn and i did look up the juniper's support website and i did do what it said and i still can't get in.
http://kb.juniper.net/CUSTOMERSERVICE/KB4528

Thanks guys..
0
Comment
Question by:jimcho74
  • 9
  • 5
14 Comments
 
LVL 9

Expert Comment

by:jabiii
ID: 16470326
I would love to help!

So your NS is at the office with a static IP... lets say 1.1.1.1
your home computer, are you sure it's static or is it long lease DHCP?

If they are both static will make it easy.

What VPN are you using at home? VPN Client or hardware?
VPN client are you using Windows VPN client, or Netscreen Remote or other?

give me that and we'll be off to the races.
Jim
0
 

Author Comment

by:jimcho74
ID: 16470455
Thanks for your help...

At home i have long lease DHCP i don't have static ip address.
At home i'm using Netscreen Remote software from Netscreen.
At office i'm using Netscreen ns5xp firewall/vpn hardware.

Thanks alot for your help....

0
 
LVL 9

Expert Comment

by:jabiii
ID: 16470639
what screen os are you running, and version of NSR? using windows xp?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 9

Accepted Solution

by:
jabiii earned 2000 total points
ID: 16470681
basically, on your NS box, you need to have your P1 and P2 proposals created.
You need to determin if you are going to connect using your IP address, or if you want to create a user account. being your DHCP I would probably recommend using a user.

once the user is created, using IKE, you need to create you a policy from that user.
and you need to configure your NSR to connect to that VPN using the same p1 and p2, and the user account created.

let me know if you need more of a step-by-step.

Jim
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16472661
Did ya get it going ok?

I use NSR here too a bunch of NS's so if you hit any problems let me know.

Tx for da pointz!

Jim
0
 

Author Comment

by:jimcho74
ID: 16472672
I did what you said above.
and i can't connect to the vpn at all.
I check the log and it said

Initiating IKE Phase 1 (IP ADDR=xx.xx.xxx.xx =IP to vpn box)se
sending >>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
Message not received Retransmitting !
SENDING >>>> ISAKMP OAK AG (Retransmission)
Disconnecting IKE SA negotiation

and it repeat this same log 2 more times and its telling me
Couln't connect to xxxx

Do you have a really easy way to setup vpn step by step for dummys??
I have to get this done and i'm lost... Help Jim.....

Thanks for your support...
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16478040
Sure will help you, give me a few minutes to detail it out for you.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16478585
First go to your Users, and Local, and create a new user. lets say "Jim"
make sure status is enable,
check IKE user,
and simple Identity,
ike id type auto, ike identiy = "Jim@jim.com" or whatever.
and click ok

Next go to your Gateways, create a new gateway.
Gateway name Jimgate
click dialup user, and choose the user from the dropdown you already created.
and put in your preshare of lets say "netscreen"
click advanced, and change the topleft phase 1 proposal to pre-g1-des-sha (or whateve ryou wish, any pre-gX-des sha will be fine, i use G5.)
click return and ok.

next go to your ike. create a new.
give it a good name like jimsike :)
your using a predefined gateway, of Jimgate
click advanced, the top left dropdown for p2 prop change to nopfs-esp-des-sha or whichever p2 you want to use.
return and ok.

ok now go to your policies.
from untrust -to trust new
source address will be your dialup VPN
destination address, which ever objects on the trusted side of the VPN or the VPN it'self your trying to access.
these should already be created under objects or you can create them here.
action tunnel
tunnel = jimsike
modify bidirectionaly policy if the trust side can initiate to you... probably not needed.
positon it at top, or you can manually move it closer to the top after creation.
click ok.

open your NSR
new connection.
remote party identity and addressing. are you connecting to a subnet or a specific host?
let's assume a specific host.
ID type = IP address
box below the pulldown input the host your connecting to.

protocol all (this can be anything, the device will moderate the ports etc nsr doesn't need to)
click connect using, secure gateway tunnel
Id type ip address
box below pull down give the IP of the external side of the VPN.
open the +
go to security, check aggressive ( although this can be main, use aggressive at first it forms easier)
go to My identity.
change ID type to Email address.
box below put in your jim@jim.com
then click pre-shared key and click enter key and put in your preshared pwd of netscreen (or whatever) and click ok

open the + under security and authentication, and make sure your P1 proposal matches that of what you put on the hardware
so authentication_method = preshared key
encryption and data integrity algorithms, = des, sha-1 sa unspecificed. (or whatever used), key group diffehellman group 1 (or whatever used)

open key exchange P2, and make sure it matches the hardware.
sa unspecifiied
compression none
make sure ESP is checked.
and encrypt alg, hash and ecanp matchup with the box.
so..esp is checked, encrypt=des, hash = sha, encap = tunnel.
click save,
yes to reset active connections, and give it a whirl.


the error you are reciving could be for a few reasons, misconfiguration, firewall inbetween etc.

look at the logs on both ends and let me know how it goes.
Jim


0
 

Author Comment

by:jimcho74
ID: 16491916
Thanks alot for your kind answer.

I did try all the settings in the vpn box and NSR software.

One thing i got confused in NSR was under new connection remote party Identity and addressing
ID type i put ip address
and ip to the vpn box (office)  same as below..

protocol : all

i did check the connecting using secure gateway tunnel.

ID type : IP Address
IP address=  ip address for the office
protocol = all
and i saw the log and it said like this..

4-19: 11:48:11.609 My Connections\New Connection - Unable to determine interface address for peer encrypter (home IP) ex.123.456.1.10
 4-19: 11:49:05.984  
 4-19: 11:49:05.984 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=ex.  789.456.123.10) = (Office IP)
 4-19: 11:49:06.078 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
 4-19: 11:49:06.500 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, VID 2x, KE, NON, ID, HASH)
 4-19: 11:49:06.578 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT)
 4-19: 11:49:06.578 My Connections\New Connection - Established IKE SA
 4-19: 11:49:06.578    MY COOKIE ef 6a 60 c8 99 a8 ae 99
 4-19: 11:49:06.578    HIS COOKIE c8 d8 1b 8b d5 80 b9 a4
 4-19: 11:49:06.625 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: E721ACC3)
 4-19: 11:49:06.625   Initiator = IP ADDR=(home IP) ex.123.456.1.10., prot = 0 port = 0
 4-19: 11:49:06.625   Responder = IP ADDR=(IP ADDR=ex.  789.456.123.10) = (Office IP), prot = 0 port = 0
 4-19: 11:49:06.625 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
 4-19: 11:49:21.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 1
 4-19: 11:49:21.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 4-19: 11:49:36.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 2
 4-19: 11:49:36.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 4-19: 11:49:51.890 My Connections\New Connection - QM re-keying timed out (message id: E721ACC3). Retry count: 3
 4-19: 11:49:51.890 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 4-19: 11:50:06.890 My Connections\New Connection - Exceeded 3 re-keying attempts (message id: E721ACC3)

I dont know what this is about..
Is there any easy way to connect to our windows 2003 server ??
I need to connect from home to office servers.
Please look into it for me and help me out with the solution.
Thank you very much...
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16498143
Check this link out.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907cde


Here is an example of one that works.

 4-20: 08:27:28.243
 4-20: 08:27:28.243 My Connections\RTA_L3_256 - Initiating IKE Phase 1 (IP ADDR=1.1.1.1)                     = (should be the IP of the remote gateway
 4-20: 08:27:28.243 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
 4-20: 08:27:28.583 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM (SA, VID 2x)
 4-20: 08:27:28.903 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 4x)
 4-20: 08:27:29.384 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM (KE, NON)
 4-20: 08:27:29.624 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
 4-20: 08:27:29.954 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK MM *(ID, HASH)
 4-20: 08:27:29.954 My Connections\RTA_L3_256 - Established IKE SA
 4-20: 08:27:29.954 My Connections\RTA_L3_256 -   MY COOKIE 47 b7 d0 b b8 e0 4d b7
 4-20: 08:27:29.954 My Connections\RTA_L3_256 -   HIS COOKIE 1d a4 7a 32 d 67 b6 fc
 4-20: 08:27:30.274 My Connections\RTA_L3_256 - Initiating IKE Phase 2 with Client IDs (message id: 768657BC)
 4-20: 08:27:30.274 My Connections\RTA_L3_256 -   Initiator = IP ADDR=3.3.3.3, prot = 0 port = 0                 =should be your NSR box IP
 4-20: 08:27:30.274 My Connections\RTA_L3_256 -   Responder = IP ADDR=2.2.2.2, prot = 0 port = 0             =is the ip or subnet of the servers your going to
 4-20: 08:27:30.274 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
 4-20: 08:27:30.874 My Connections\RTA_L3_256 - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x, NOTIFY:STATUS_RESP_LIFETIME)
 4-20: 08:27:30.874 My Connections\RTA_L3_256 - Filter entry 56 added: SECURE  3.3.3.3&255.255.255.255  2.2.2.2&255.255.255.255  1.1.1.1
 4-20: 08:27:30.874 My Connections\RTA_L3_256 - SENDING>>>> ISAKMP OAK QM *(HASH)
 4-20: 08:27:31.104 My Connections\RTA_L3_256 - Loading IPSec SA (Message ID = 768657BC OUTBOUND SPI = 70C56EBC INBOUND SPI = AB835183)
 4-20: 08:27:31.104


Here is an example of one timing out. (ie the box isn't plugged in or there is a FW blocking you.)

 4-20: 08:44:21.549
 4-20: 08:44:21.549 My Connections\CRWWRI1_L2_256 - Initiating IKE Phase 1 (IP ADDR=1.1.1.1)
 4-20: 08:44:21.579 My Connections\CRWWRI1_L2_256 - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
 4-20: 08:44:37.321 My Connections\CRWWRI1_L2_256 - message not received! Retransmitting!
 4-20: 08:44:37.321 My Connections\CRWWRI1_L2_256 - SENDING>>>> ISAKMP OAK MM (Retransmission)
 4-20: 08:44:52.344 My Connections\CRWWRI1_L2_256 - message not received! Retransmitting!
 4-20: 08:44:52.344 My Connections\CRWWRI1_L2_256 - SENDING>>>> ISAKMP OAK MM (Retransmission)
 4-20: 08:45:07.370 My Connections\CRWWRI1_L2_256 - message not received! Retransmitting!
 4-20: 08:45:07.370 My Connections\CRWWRI1_L2_256 - SENDING>>>> ISAKMP OAK MM (Retransmission)
 4-20: 08:45:22.455 My Connections\CRWWRI1_L2_256 - Exceeded 3 IKE SA negotiation attempts

If that doesn't get you going let me know, and I will see if I can't build you a policy for NSM, and via CLI for the NS box and post it latter today. Let me know.

Jim
0
 

Author Comment

by:jimcho74
ID: 16525747
Thank you so much Jim...
I finaly got it to connect from home to office.
I could access file server but i'm having trouble accessing company's exchange server.
I could ping the gateway, file server, and exchange server but i can't use outlook to get the e-mail.
But i could ping it.... file server is on 192.168.1.250  = panfil01 = computer name
and exchange server is on 192.168.1.251 =  panexch01
Our DNS server is also 192.168.1.251.

If i try to ping  instade of ip using ping panexch01 i can't ping it.
and i can't get my e-mail using outlook.  outlook is giving error message of
Task microsoft exchange server reported error ( 0x8004011D) : 'the server is not available.  Contact your administrator if this condition persists.'

why is this happening??
Do i have to do something to the server...

thanks Jim for your support..

Jimmy
0
 

Author Comment

by:jimcho74
ID: 16525877
and office domain is pangaia.local (not internet domain.  Just local)

Thanks
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16526171
are you allowing the exchange ports and DNS through the tunnel?

I would turn on logging on all policies, especially your deny's and see what ports are going through.
easy way to see would be ping the mail server, then check mail, then ping the mail server again, to narrow down the logs.

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question