[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Astaro V7 110 VPN to Juniper 5GT setup

Posted on 2007-08-07
2
Medium Priority
?
1,779 Views
Last Modified: 2008-01-09
hello,  I am trying to set up a VPN connection from an Astaro V7 110 to a Juniper 5GT.  I have followed the first part of the juniper setup found here:
http://www.bluetrait.com/archive/2006/05/13/site-to-site-vpn-with-netscreen-5gt-and-netgear-dg834g/

and i have setup the astaro to connect back to the juniper.  I am unsure of the phase 2 proposal and what it should be  g2-esp-des-md5? g2-esp-des-sha? 3des?

both devices have static public address'

I can not seem to get the correct combination and im not really sure how to see what part of the linking between the two devices is failing.  so this question is:
1- what type of encryption should i be selecting for both devices
2-how do i tell where it is breaking down(why it is not establishing the connection)
3-what do i need to change to make this work.

thanks for the help

K
0
Comment
Question by:knightdogs
2 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 19655423
I do have some experience with the Juniper but none with Astaro.
First you have to make sure phase 1 is correctly established, only then you need to worry about phase 2 proposals.
If phase 1 to the Juniper is established (or even if there is a failed attempt) there should be something in the logs. Logs are one of the few places that can tell you what goes wrong.

So check the logs on the Juniper (and probably Astaro also) and post relevant content. Is the VPN even trying to connect? What step fails?
0
 
LVL 2

Accepted Solution

by:
malcolmdoggy earned 1500 total points
ID: 19847664
Here is an article from astaro's knowledgebase that may help.  I have had success establishing VPN Tunnels from ASG220 V6 to Netgear Routers but i have no experience with Juniper Products.

Task:
 This guide explains what settings are required on your Astaro to setup an IPSec PSK Net-to-Net VPN from the Astaro to another firewall or VPN termination.  For any VPN it is required that all parameters match correctly and it is recommended that you first setup the remote firewall and match parameters with the Astaro.  

This can be used for setting up a vpn to firewalls such as PIX, Netcreen, Sonicwall, Checkpoint, Cisco VPN or any Openswan system.
Steps:
These steps are for matching the parameters used to establish the VPN tunnel on the Astaro.  The other Remote Firewall will need the same parameters established.

Policy to match for both sides of the tunnel:

ISAKMP (IKE) Settings (Phase 1)
Name: Enter a name that signifies the policy like RemoteFirewallPolicy
IKE Mode: Main Mode
Encryption Algorithm: 3DES 168bit
Authentication Algorithm: MD5 160bit
IKE DH Group: DH Group 2 (MODP 1024)
SA Lifetime (secs): 28800

IPSec Settings (Phase 2)
IPSec Mode: Tunnel
IPSec Protocol: ESP
Encryption Algorithm: 3DES-CBC 168bit
Enforce Algorithms: Off
Authentication Algorithm: MD5 160bit
SA Lifetime (secs): 28800
PFS: None
Compression: Off


Astaro Security Gateway Settings

Step 1  Defining the Networks
1.1 - Definitions > Networks
1.2 - Click New Definition
1.3 - Name:  Remote_Gateway
1.4 - Type: Host
1.5 - Address: Enter the address of the Public IP on the Remote Firewall side
1.6 - Comment: Enter a comment if you like
1.7 - Click Add Definition
1.8 - Name: Remote_Network
1.9 - Type: Network
1.10 - Address/Netmask: Enter the IP address of the LAN on the
          Remote Firewall side and choose the according Netmask
1.11 - Comment:  Enter a comment if you like
1.12 - Click Add Definition

Step 2  Creating the Preshared Key
2.1  IPSec VPN > Remote Keys
2.2  Name: Enter a name for the key
2.3  Virtual IP: <not used>
2.4  Key type:  PSK
2.5  Preshared Key: Enter the same key string that you did in the
         Remote Firewall
2.6  Click Add

Step 3  Creating a Policy
3.1  IPSec VPN > Policies
3.2  Click New

ISAKMP (IKE) Settings
3.3  Name: Enter a name that signifies the policy like RemoteFirewallPolicy
3.4  IKE Mode: Main Mode
3.5  Encryption Algorithm: 3DES 168bit
3.6 - Authentication Algorithm: MD5 160bit
3.7 - IKE DH Group: DH Group 2 (MODP 1024)
3.8 - SA Lifetime (secs): 28800

IPSec Settings
3.9 - IPSec Mode: Tunnel
3.10 - IPSec Protocol: ESP
3.11 - Encryption Algorithm: 3DES-CBC 168bit
3.12 - Enforce Algorithms: Off
3.13 - Authentication Algorithm: MD5 160bit
3.14 - SA Lifetime (secs): 28800
3.15 - PFS: None
3.16 - Compression: Off
3.17  Click Add

Step 4  Creating a Connection
4.1  IPSec VPN > Connections
4.2  Name: Enter a name for the connection
         (eg. To_Remote_Firewall)
4.3  Type: Standard
4.4  IPSec Policy: Choose the policy that was created
         earlier (RemoteFirewallPolicy)
4.5  Auto Packet Filter: On (allows all traffic through) or
         Off (you will have to create packet filter rules later on)
4.6  Strict Routing: On

Endpoint Definition
4.7 - Local Endpoint: Select from the dropdown the Public
         interface on the Astaro firewall [eg. External (address)]
4.8 - Remote Endpoint: Select from the dropdown the definition
        of the public side on the Remote Firewall (Remote_Gateway)

Subnet definition
4.9 - Local Subnet: Select the internal LAN on the Astaro
        Firewall [eg. Internal (network)]
4.10 - Remote Subnet: Select the definition of the LAN for the
          Remote Firewall (Remote_Network)

Authentication of remote Station(s)
4.11 - Key: Select the PSK that was created earlier
4.12 - Click Add
4.13 - Enable the tunnel by clicking on the red traffic light to
          make it green.


Step 5  Check tunnel status
5.1  Click Show for VPN Routes to see the route that is
         created which will look like this:

<Astaro LAN>= = =<Astaro External>&<Remote Firewall External>= = =<Remote Firewall LAN>


0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Fine Tune your automatic Updates for Ubuntu / Debian
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 20 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question