• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1072
  • Last Modified:

SETTING UP VPN

Hi,

we've set up a VPN between ourselves and a client.

We're using a Juniper Netscreen on our side and the client is using a Cisco IOS firewall.

We've set up te VPN using a preshared key and 2 phase proposals,

both sides have been configured correctly but we connect seem to ping each other,

how can i diagnose the problem?

thanks

rizwan
0
rdbconcepts
Asked:
rdbconcepts
  • 2
1 Solution
 
Pete LongConsultantCommented:
>>Cisco IOS firewall.

what firewall?

>>both sides have been configured correctly

is on side using pfs and the other not?
0
 
ccreamer_22Commented:
First, make sure you can ping the untrust interface to each firewall from the other firewall. If you can not do that, the problem is with the ISP.

OK, here is an example
NetScreen side

Untrust IP of device 1.1.1.1
Trust Network 10.1.1.0/24
Phase 1 Proposal pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha

Cisco PIX side

Untrust IP of device 2.2.2.1
Trust Network 176.16.10.0/24
Phase 1 Proposal 3des-sha
Phase 2 Proposal 3des-sha

On the netscreen
1. Open the WebUI.
2. From the NetScreen options menu, click Network, and then click Interfaces.
3. Click New.
4. From the Tunnel Interface Name text box, enter a tunnel name.
5. From the Zone drop-down menu, select a Zone. Untrust (trust-vr)
6. Click to select Unnumbered. From the Interface drop-down menu, select an Interface. (the ethernet port of your untrust interface)
7. Click OK.
8. From the NetScreen options menu, click VPNs, select AutoKey Advanced, and then click Gateway.
9. Click New.
10. In the Gateway Name text box, enter a Gateway Name.
11. From Security Level, click to select Custom.
12. From Remote Gateway Type, click to select Static IP Address, and enter an IP Address/Hostname. (for this example, it will be the untrust interface of the Cisco Firewall, 2.2.2.1)
13. In the Preshared Key text box, enter a Preshared Key.
14. From the Outgoing Interface drop-down menu, click to choose an Outgoing Interface (untrust). Click Advanced.
15. From the Phase 1 Proposal drop-down menu, click to choose a Phase 1 Proposal. for this example, I am using pre-g2-3des-sha.
16. Click to select Mode (Initiator). Click Return.
17. Click OK.
18. From the NetScreen options menu, click VPNs, and then click AutoKey IKE.
19. Click New.
20. In the VPN Name text box, enter a VPN Name. From Security Level, click to select Custom.
21. From Remote Gateway, click to select Predefined. From the Remote Gateway drop-down menu, click to select the site you named in step 12.
22. Click Advanced.
23. From the Phase 2 Proposal drop-down menu, select a Phase 2 Proposal.
24. From Bind to, click to select Tunnel Interface. From the Tunnel Interface drop-down menu, click to select tunnel.1.
25. Click to select Proxy-lD. In the Local IP/Netmask text box, enter a Local IP/Netmask, and then in the Remote IP/Netmask text box, enter a Remote IP/Netmask. (for this example, 10.1.1.0/24 for our Local IP/Netmask and 172.16.10.0/24 for the Remote IP/Netmask.)
26. From the Service drop-down menu, click to select ANY. Click Return.
27. Click OK.
28. From the NetScreen options menu, click Policies.
29. In the From drop-down menu, click to select Trust. In the To drop-down menu, click to select Untrust.
30. Click New.
31. From Source Address, click to select New Address, and enter a New Address. (For this example, I have entered 10.1.1.0/24.)
32. From Destination Address, click to select New Address, and enter a New Address. (For this example, I have entered 172.16.10.0/24)
33. In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.
34. Click to select Position at Top.
35. Click OK.
36. In the From drop-down menu, click to select Untrust. In the To drop-down menu, click to select Trust.
37. Click New.
38. From Source Address, click to select New Address, and enter a New Address. (For this example, I have entered 172.16.10.0/24.)
39. From Destination Address, click to select New Address, and enter a New Address. (For this example, I have entered 10.1.1.0/24.)
40. In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.
41. Click to select Position at Top.
42. Click OK.
43. From the NetScreen options menu, click Network, select Routing, and then click Routing Table.
44. Click New.
45. From Virtual Router Name, in the Network Address/Netmask text boxes, enter a Network Address/Netmask. (For this example, I have entered 172.16.10.0/255.255.255.0.)
46. Click to select Gateway. From the Interface drop-down menu, click to select tunnel.1.
47.Click OK.

On the Cisco PIX:
1. Configure the access list.
access-list 101 permit ip 10.1.1.0 255.255.255.0 172.16.10.0 255.255.255.0
2. Configure the crypto settings.
crypto ipsec transform-set mine esp-3des esp-sha-hmac
crypto map nsmap 10 ipsec-isakmp
crypto map nsmap 10 match address 101
crypto map nsmap 10 set peer 1.1.1.1 (untrust interface of the netscreen firewall)
crypto map nsmap 10 setset transform-set nsset
crypto map nsmap interface outside

3. Configure the isakmp settings.
In this example, the settings in Step 3 include the seven necessary isakmp steps. The isakmp settings are similarly configured in the AutoKey Advanced and Gateway areas of the NetScreen. These settings are basically part of Phase 2 in relation to the NetScreen. NetScreen devices have a default lifetime of 28800 seconds (8 hours) while the Cisco PIX typically has a lifetime of 86400 seconds (24 hours). You will need to make sure that the lifetime setting matches on both devices.

isakmp enable outside
isakmp key netscreen address 1.1.1.1
netmask 255.255.255.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800

After the IPSec VPN has been configured, you can make the IKE VPN negotiate by sending traffic through the VPN. In this example, I have sent a ping to 10.1.1.1 (the Trust IP Address of the NetScreen) from the PIX. After three or four pings, the VPN should be established.
0
 
Sanga CollinsSystems AdminCommented:
cisco and juniper phase1 and phase2 negotiations are not always compatible
0
 
Sanga CollinsSystems AdminCommented:
i take the previous comment back. i was mistaken about the negotiations
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now