Solved

Need to allow IPSEC outbound and leave Site-to-Site alone

Posted on 2011-03-18
2
518 Views
Last Modified: 2012-05-11
We have a Juniper SSG5 and a Netscreen25 with a Site-to-Site Vpn setup and working between two buildings.

Now, my "other" job (I have several) needs me to VPN (using the software client) to their Cisco 1841 from time to time to make changes.

The SSG5 (the gateway router at my real office) won't let the ipsec traffic to go out and come back... and I think it is mostly because of the settings for the site-to-site. Now, since I'm stuck using this SSG5 for a bit, how can I get it to allow the IPSEC connection to form while leaving the site-to-site vpn alone?

AND YES, the Cisco 1841 works perfectly, and has for many a year. I can still VPN to it from anywhere outside of the ssg5.

Here's the current config from the ssg5:

set clock ntp
set clock timezone -6
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "XXXXXXXXXXX"
set admin password "XXXXXXXXXXXXXXXXXXXXXXXXXXX"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "VPN"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
unset zone "VPN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "VPN"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip XXX.XXX.XXX.146/29
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.13.1/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 manage-ip XXX.XXX.XXX.144
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface bgroup0 manage mtrace
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server enable
set interface bgroup0 dhcp server option lease 1440 
set interface bgroup0 dhcp server option gateway 192.168.13.1 
set interface bgroup0 dhcp server option netmask 255.255.255.0 
set interface bgroup0 dhcp server option dns1 12.127.17.71 
set interface bgroup0 dhcp server option dns2 12.127.16.67 
set interface bgroup0 dhcp server option dns3 216.10.32.10 
set interface bgroup0 dhcp server ip 192.168.13.50 to 192.168.13.250 
set interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
unset flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 12.127.17.72 src-interface bgroup0
set dns host dns2 12.127.16.67 src-interface bgroup0
set dns host dns3 216.10.32.10 src-interface bgroup0
set address "Trust" "12.127.17.72" src-interface  "bgroup0"
set address "Trust" "XXX.XXX.XXX.146/0" XXX.XXX.XXX.146 0.0.0.0
set address "Trust" "192.168.13.0/24" 192.168.13.0 255.255.255.0
set address "Trust" "YYY.YYY.YYY.217/0" YYY.YYY.YYY.217 0.0.0.0
set address "Untrust" "ZZZ.ZZZ.ZZZ.224/27" ZZZ.ZZZ.ZZZ.224 255.255.255.224
set address "Untrust" "Facebook" 69.63.176.0 255.255.240.0
set address "Untrust" "Myspace-1" 216.178.32.0 255.255.240.0
set address "Untrust" "Myspace-2" 63.135.80.0 255.255.240.0
set address "Untrust" "Myspace-3" 204.16.32.0 255.255.252.0
set address "Untrust" "Myspace-4" 67.134.143.0 255.255.255.0
set address "VPN" "192.168.19.0/24" 192.168.19.0 255.255.255.0
set ike gateway "IKE to Missouri" address WWW.WWW.WWW.66 Main outgoing-interface "ethernet0/0" preshare "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" proposal "pre-g2-3des-md5"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN to Missouri" gateway "IKE to Missouri" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" 
set vpn "VPN to Missouri" id 1 bind interface tunnel.1
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set policy id 5 from "Trust" to "Untrust"  "Any" "ZZZ.ZZZ.ZZZ.224/27" "ANY" permit log traffic gbw 1024 priority 2
set policy id 5
set log session-init
exit
set policy id 3 from "VPN" to "Trust"  "192.168.19.0/24" "192.168.13.0/24" "ANY" permit 
set policy id 3
exit
set policy id 4 from "Trust" to "VPN"  "192.168.13.0/24" "192.168.19.0/24" "ANY" permit 
set policy id 4
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "0.north-america.pool.ntp.org"
set ntp server src-interface "ethernet0/0"
set ntp server backup1 "1.north-america.pool.ntp.org"
set ntp server backup1 src-interface "ethernet0/0"
set ntp server backup2 "2.north-america.pool.ntp.org"
set ntp server backup2 src-interface "ethernet0/0"
set ntp interval 60
set ntp max-adjustment 60
set snmp community "public" Read-Only Trap-off  version any
set snmp name "2501R1"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway XXX.XXX.XXX.145 preference 20
set route 192.168.19.0/24 interface tunnel.1 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
Comment
Question by:JAMason1182
2 Comments
 

Author Comment

by:JAMason1182
ID: 35169221
And quick comment I forgot: I can trace the information from the cisco vpn software and I see the following:
Cisco Systems VPN Client Version 4.6.00.0049
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      16:40:17.828  03/18/11  Sev=Info/4	CM/0x63100002
Begin connection process

2      16:40:18.000  03/18/11  Sev=Info/4	CM/0x63100004
Establish secure connection using Ethernet

3      16:40:18.000  03/18/11  Sev=Info/4	CM/0x63100024
Attempt connection with server "AAA.AAA.AAA.78"

4      16:40:19.031  03/18/11  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 216.10.38.78

5      16:40:19.046  03/18/11  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started

6      16:40:19.046  03/18/11  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

7      16:40:24.250  03/18/11  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

8      16:40:24.250  03/18/11  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.AAA.AAA.78

9      16:40:29.250  03/18/11  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

10     16:40:29.250  03/18/11  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.AAA.AAA.78

11     16:40:34.250  03/18/11  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

12     16:40:34.250  03/18/11  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to AAA.AAA.AAA.78

13     16:40:39.250  03/18/11  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=A460C738D9299452 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

14     16:40:39.750  03/18/11  Sev=Info/4	IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=A460C738D9299452 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

15     16:40:39.750  03/18/11  Sev=Info/4	CM/0x63100014
Unable to establish Phase 1 SA with server "AAA.AAA.AAA.78" because of "DEL_REASON_PEER_NOT_RESPONDING"

16     16:40:39.765  03/18/11  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection

17     16:40:39.781  03/18/11  Sev=Info/4	IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

18     16:40:39.781  03/18/11  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

19     16:40:39.781  03/18/11  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

20     16:40:39.781  03/18/11  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

21     16:40:39.781  03/18/11  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

Open in new window

0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35171803
All you need is a policy allowing 500/udp and 4500/udp from Trust to Untrust, and maybe 10000/tcp (Cisco-specific NAT-T port). You can leave that unrestricted in regard of addresses, or specific by only allowing IPSec traffic to that particular Cisco.

The required commands are:
set service "IPSec NAT-T" protocol udp dst-port 4500
set service "IPSec Cisco NAT-T" protocol tcp dst-port 10000
set group service "grp: IPSec"
set group service "grp: IPSec" add IKE
set group service "grp: IPSec" add "IPSec NAT-T"
set group service "grp: IPSec" add "IPSec Cisco NAT-T"
set policy top name "VPN outbound" from Trust to Untrust any any "grp: IPSec"  permit log count

Open in new window

That are the basics. You can shift the policy around, or restrict it regarding allowed IP addresses.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now