Solved

SSG5 VPN not working with Verizon Wireless

Posted on 2009-07-01
17
862 Views
Last Modified: 2012-05-07
Hi, the VPN (via netscreen remote) from my laptop using my home cable internet connection works great. However, when I try to connect using my Verizon Wireless broadband connection it does not work. I have tried enabling Nat traversal, turning off zone alarm, trying each virtual adapter setting, etc. I do not have any compression software installed (e.g. Venturi)

Netscreen remote Log is below:
7-01: 18:38:16.734 My Connections\1 - Initiating IKE Phase 1 (IP ADDR=XX.XXX.252.194)
 7-01: 18:38:16.968 My Connections\1 - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
 7-01: 18:38:32.546 My Connections\1 - message not received! Retransmitting!
 7-01: 18:38:32.546 My Connections\1 - SENDING>>>> ISAKMP OAK AG (Retransmission)
 7-01: 18:38:47.593 My Connections\1 - message not received! Retransmitting!
 7-01: 18:38:47.593 My Connections\1 - SENDING>>>> ISAKMP OAK AG (Retransmission)
 7-01: 18:39:02.593 My Connections\1 - message not received! Retransmitting!
 7-01: 18:39:02.593 My Connections\1 - SENDING>>>> ISAKMP OAK AG (Retransmission)
 7-01: 18:39:17.687 My Connections\1 - Exceeded 3 IKE SA negotiation attempts
0
Comment
Question by:wn411
  • 9
  • 6
  • 2
17 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 50 total points
ID: 24759182
What happens if you restart the laptop and use only the Verizon wireless connection? I ask this because sometimes the Netscreen Remote services need to be restarted between different connection types. I don't know why, but I know it gave me some relief.

I am using the SafeNet product for Vista 64-bit now, and don't use the Netscreen Remote product any longer.

It is also possible that Netscreen Remote is not compatible with Verizon Wireless. That I do not know  .... Thinkpads_User
0
 

Author Comment

by:wn411
ID: 24759991
Yes, I am only using the Verizon Connection. The computer is off before connection. I have also selected the WAN connection that Verizon is using.
0
 
LVL 18

Expert Comment

by:deimark
ID: 24762413
It might also be that verizon are just blocking the IPSec connection.

Some wireless providers only allow http and https, similar to hotspot.

See if you can tunnel through https with the nsremote (off teh top of my head I cant recall if you can)
0
 

Author Comment

by:wn411
ID: 24763701
From other articles I read IPSEC should be OK. I dont see the option to tunnel over SSL.
0
 
LVL 18

Expert Comment

by:deimark
ID: 24764510
IPSec is normally fine, however, as I said, some providers of wireless stuf, like hotspots etc, do limit the protocols that can traverse their networks.

All we can see in the logs is that nsremote keeps trying to send the phase 1 1st packet and gets no response.  Which can indicate that either the firewall is dropping the packet (which will be seen in the firewall logs) or the provider is not allowing the traffic through.

I would double check with verizon first, to make sure that they allow ipsec across the wireless connection
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 24764598
As I more or less indicated in my earlier post, there is just no guarantee that Juniper Netscreen will work through any given router, any given modem, or any given ISP. While I have had good success with Netscreen over a 5 year period, I have had glitches as well, and as the log above showed, the Netscreen software didn't even get to first base which is further evidence of incompatability. ... Thinkpads_User
0
 
LVL 18

Expert Comment

by:deimark
ID: 24764662
AFAIK, the NSRemote product is a rebranded safenet one, so not sure what you're getting at here bud.

Juniper is only 1 of many that provide the remote access solutions to connect o firewall/routers etc.  They are all pretty much the same as long as they follow the standards for teh protocol to be used, which in this case is ipsec.

As we know that NSremote works on other networks, its reasonable to assume the differentiating factor of this one is that its a verizon provided wireless.

It may be a red herring but I have been burned by serveral wireless providers NOT allowing the transit of IPSec packets in their network, they only allow http and https.  To get around this, I have had to set the VPN client to use SSL (in the past its been check points secure client, which works fine) so I do know what I am talking about.

I still stand by my post above, before we go trying to troubleshoot the juniper side, a quick call to verizon support to see if they allow ipsec packets through their network would be my first obvious and most sensible port of call.

And yes I do know that there are better utilities out there to act as VPN clietns, but sadly, as the SSG boxes do not offer SSL VPN functionality, all of them will hit the same problem if verizon is blocking ipsec.
0
 

Author Comment

by:wn411
ID: 24764801
deimark, I was talking about other articles saying IPSEC was OK with Verizon. But, I will call them as well and get back to all :)
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:wn411
ID: 24764905
I found this in the Verizon site. I am going to call them to confirm.

Will Mobile Broadband and NationalAccess work with IP Sec and existing VPN Solutions?
Yes, your VPN product should treat the NationalAccess and Mobile Broadband data networks exactly as it treats the Internet; however, we recommend testing your specific VPN over the NationalAccess and Mobile Broadband networks before you deploy the service. Verizon Wireless' national data sales team, in conjunction with system engineers and data solutions managers, work with customers and VPN providers to enable secure, wireless access to their VPN over the NationalAccess and Mobile Broadband networks. Your Verizon Wireless sales representative can provide additional information on VPN access over the Verizon Wireless networks. Verizon Wireless Data Sales Engineers are also available to meet with your corporate IT group to answer any questions and ensure a smooth implementation.
0
 
LVL 18

Expert Comment

by:deimark
ID: 24764929
Kewl bud.

As I said, it might not be the case however, its where I would check 1st before investigating the nsremote stuff.

Also, might be worth looking into an alternative to nsremote, in case its that causing the issues, and its shrew.  www.shrew.net.  Personally, I have never used it, but others on EE seem to rate it quite highly.
If shrew doesnt work, then it may something in between interfering with the ipsec packets.
0
 

Author Comment

by:wn411
ID: 24767593
Thanks, I called them and they confirmed IPSEC is fine. I am going to try the shrew software now :)
0
 

Author Comment

by:wn411
ID: 24767649
Also, it was mentioned that perhaps my Blackberry device used for tethering to the laptop was blocking it. I checked the firewall on the blackberry and it was off.
0
 

Author Comment

by:wn411
ID: 24768623
OK I fixed it!!! I tried the Shrew software. But that did not work. I had to then uninstall that and reboot because it broke the Netscreen Remote client software.

Here is what I had to do.

1) Connection the the Verizon Cellular Broadband connection as you would normally do.
2) Start > Control Panel > Network Connections
3) You will see National Access-Broadband Access under the Dial-Up Category.
4) Right click that connection. Choose Properties.
5) Click the advanced tab. Check "Allow other network users to connect thorough this computers Internet connection.
6) Choose Local Area Connection.
7) Click OK.

Start the VPN connection normally :)

I first tried to bridge the connections. But that option was not possible. So, I tried this and it worked!
Although the VPN software allowed me to choose the dial-up connection, I guess it was still trying to connect via the LAN connection.

I will leave this open for a day for any other comments.
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 450 total points
ID: 24768936
Hmm, never seen that one before bud, but it must be that the nsremote did bind to the lan and not the other interface.

btw, i have never seen many VON clients that olay well together, all of them want to control the interfaces as they bind their own virtual adaptors to the physical one.

DM
0
 

Author Comment

by:wn411
ID: 24769607
OK, I have even better info based on hours of troubleshooting this.

1) If I connect to the VPN via my normal LAN internet connection over cable modem broadband, the VPN connects.
2) I disconnect from the LAN cable modem connection.
3) I start the Verizon connection via tethered Balckberry.
4) I do NOT share the Internet connection as mentioned above. The VPN connects!

Then I rebooted the PC, tried to connect to the VPN over the Verizon connection and it fails.
I noticed the following:
Netscreen Remote installs a shortcut in the Startup folder. So, the program starts upon boot and gives you a icon in the systray (clock). As an experiment, I killed all the Netscreen related .exe files in task manager. Those files can be found in C:\Program Files\Juniper\NetScreen-Remote as a reference.

I then started the Verizon connection, THEN the Netscreen software Safecfg.exe, then restarted the following services: SafeNet IKE Service, SafeNet Monitor Service.

I then successfully connect to the VPN!

I think what is happening is that since the Netscreen software is starting first, it does not see the available Verizon Connection because it does not exist. So you have to start the Verizon Connection, then you will see a listing in your Control Panel > Network Connections titled Verizon. At that point you fire up the Netscreen Remote software. It then sees that as an available connection.

My next attempt is to remove the shortcut in the start menu startup folder and set the two services above to Manual. I am hoping that will prevent me from having to kill all the startup process and services each time.
0
 

Accepted Solution

by:
wn411 earned 0 total points
ID: 24769687
Just did the above and it worked. So, the final solution is:

1) Remove SafeCfg.exe from the Startup folder in the Start Menu
2) Set SafeNetIKE and SafeNet Monitor Service to Manual Start

To connect:

1) Start the Verizon connection normally
2) Run SafeCfg.exe
3) Start SafeNetIKE and SafeNet Monitor
4) Start VPN
0
 
LVL 18

Expert Comment

by:deimark
ID: 24771323
Nice find bud and well investigated.

Thanks for letting us know.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now