VLib
asked on
Configuring PPTP VPN passthrough on Juniper SSG5 to Windows 2003 PPTP VPN
I am having trouble configuring PPTP traffic to passthrough the Juniper to a known-working Windows 2003 PPTP VPN server. I can't imagine this is that difficult but no guide I follow can properly show me the process. Can someone please let me know what I need to do to accomplish what should be a relatively simple procedure? I have a static mapped IP to the Windows 2003 server and currently have a policy allowing SMTP, IMAP, etc, traffic to that machine (from untrust to trust), all of which works fine. I will be happy to provide any other details as needed, and thank you very much in advance for any assistance.
In addition, per sangamc, I have executed the following commands:
set service "PPTP-47" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "PPTP-47" + tcp src-port 0-65535 dst-port 1723-1723
set service "PPTP-1723" protocol tcp src-port 0-65535 dst-port 1723-1723
I have enabled those services, as well as the GRE service, on the policy going from untrust to the mapped IP of the internal PPTP server, with no luck. Thank you very much in advance for your help.
In addition, per sangamc, I have executed the following commands:
set service "PPTP-47" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "PPTP-47" + tcp src-port 0-65535 dst-port 1723-1723
set service "PPTP-1723" protocol tcp src-port 0-65535 dst-port 1723-1723
I have enabled those services, as well as the GRE service, on the policy going from untrust to the mapped IP of the internal PPTP server, with no luck. Thank you very much in advance for your help.
Sanga Collins
are you able to establish a VPN to the server locally?
ASKER
Yes, the server is known good. Works perfectly otherwise, just not through the Juniper. Here is our current config (external ip addresses and policy names are removed for security, replaced with XXXXXX):
unset key protection enable
set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "packet8_outlook_integrat"
set service "packet8_outlook_integrat"
set service "MS-TermServ" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "PPTP-47" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "PPTP-47" + tcp src-port 0-65535 dst-port 1723-1723
set service "PPTP-1723" protocol tcp src-port 0-65535 dst-port 1723-1723
set alg pptp enable
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "administrator"
set admin password XXXXXXXX
set admin access attempts 5
set admin auth web timeout 0
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin auth banner telnet login XXXXXX
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip XXXXXX/29
set interface ethernet0/0 route
set interface bgroup0 ip XXXXXX/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 manage-ip XXXXXX
unset interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/1 dhcp client enable
unset interface ethernet0/1 dhcp client settings update-dhcpserver
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server enable
set interface bgroup0 dhcp server option lease 2880
set interface bgroup0 dhcp server option gateway 192.168.10.28
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option dns1 192.168.10.10
set interface bgroup0 dhcp server option wins1 192.168.10.5
set interface bgroup0 dhcp server ip 192.168.10.70 to 192.168.10.150
unset interface bgroup0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config updatable
set interface "ethernet0/0" mip XXXXXX host 192.168.10.4 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip XXXXXX host 192.168.10.3 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip XXXXXX host 192.168.10.7 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "lan" 6.0.0.0 255.255.255.0
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default dns1 1.1.1.1
set l2tp default dns2 1.1.1.2
set l2tp default ppp-auth chap
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 2 name "XXXXXX Policy" from "Untrust" to "Trust" "Any" "MIP(XXXXXX)" "HTTP" permit log
set policy id 2
set service "HTTPS"
set service "MS-TermServ"
set service "PING"
exit
set policy id 3 name "XXXXXX Policy" from "Untrust" to "Trust" "Any" "MIP(XXXXXX)" "GRE" permit log
set policy id 3
set service "IMAP"
set service "MS-TermServ"
set service "PING"
set service "POP3"
set service "PPTP-1723"
set service "PPTP-47"
set service "SMTP"
exit
set policy id 4 name "XXXXXX Policy" from "Untrust" to "Trust" "Any" "Any" "HTTP" permit log
set policy id 4
set service "HTTPS"
set service "MS-TermServ"
set service "PING"
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "time.apple.com"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway XXXXXX
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
unset key protection enable
set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "packet8_outlook_integrat"
set service "packet8_outlook_integrat"
set service "MS-TermServ" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "PPTP-47" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "PPTP-47" + tcp src-port 0-65535 dst-port 1723-1723
set service "PPTP-1723" protocol tcp src-port 0-65535 dst-port 1723-1723
set alg pptp enable
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "administrator"
set admin password XXXXXXXX
set admin access attempts 5
set admin auth web timeout 0
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin auth banner telnet login XXXXXX
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip XXXXXX/29
set interface ethernet0/0 route
set interface bgroup0 ip XXXXXX/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 manage-ip XXXXXX
unset interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/1 dhcp client enable
unset interface ethernet0/1 dhcp client settings update-dhcpserver
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server enable
set interface bgroup0 dhcp server option lease 2880
set interface bgroup0 dhcp server option gateway 192.168.10.28
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option dns1 192.168.10.10
set interface bgroup0 dhcp server option wins1 192.168.10.5
set interface bgroup0 dhcp server ip 192.168.10.70 to 192.168.10.150
unset interface bgroup0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config updatable
set interface "ethernet0/0" mip XXXXXX host 192.168.10.4 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip XXXXXX host 192.168.10.3 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip XXXXXX host 192.168.10.7 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "lan" 6.0.0.0 255.255.255.0
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default dns1 1.1.1.1
set l2tp default dns2 1.1.1.2
set l2tp default ppp-auth chap
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 2 name "XXXXXX Policy" from "Untrust" to "Trust" "Any" "MIP(XXXXXX)" "HTTP" permit log
set policy id 2
set service "HTTPS"
set service "MS-TermServ"
set service "PING"
exit
set policy id 3 name "XXXXXX Policy" from "Untrust" to "Trust" "Any" "MIP(XXXXXX)" "GRE" permit log
set policy id 3
set service "IMAP"
set service "MS-TermServ"
set service "PING"
set service "POP3"
set service "PPTP-1723"
set service "PPTP-47"
set service "SMTP"
exit
set policy id 4 name "XXXXXX Policy" from "Untrust" to "Trust" "Any" "Any" "HTTP" permit log
set policy id 4
set service "HTTPS"
set service "MS-TermServ"
set service "PING"
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "time.apple.com"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway XXXXXX
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
if you create a policy from 'global' to 'global' and set it to source=all, dest=all, action=deny, logging=on. Then place it at the bottom of the list. it will capture and log all packets that are being dropped by the ssg. you can then look at the logs to see whats happening to your vpn traffic.
ASKER
I did as you instructed, and when I attempt to connect with my local VPN client (which works fine when not going through the Juniper), I see no evidence of traffic from my local IP (68.52.x.x) in the juniper traffic logs. Any ideas?
the last thing i recommend doing is running a debug on the traffic to the VPN. Let me know if you are familiar with the process. if not i will post the steps on how to debug traffic flow on the juniper devices.
ASKER
I'm attempting this command:
set src-ip <ip-address of pc> dst-ip <ip address on internet>
From the CLI, and I'm getting this result:
^---------unknown keyword src-ip
Command string is: set src-ip XX.XX.XX.XX dst-ip XX.XX.XX.XX
Any idea what I"m doing wrong?
set src-ip <ip-address of pc> dst-ip <ip address on internet>
From the CLI, and I'm getting this result:
^---------unknown keyword src-ip
Command string is: set src-ip XX.XX.XX.XX dst-ip XX.XX.XX.XX
Any idea what I"m doing wrong?
LOL, looks like something i posted a few weeks ago with a typo. the correct command is
set ff src-ip <ip> dst-ip <ip>
i had didnt put the 'ff' = flowfilter
set ff src-ip <ip> dst-ip <ip>
i had didnt put the 'ff' = flowfilter
ASKER
I've done what you asked, and filtered from my home IP with a known-good PPTP VPN client to the Mapped IP of PPTP VPN server behind the ssg5. Attached is the log of that. The Mapped IP to the VPN server is the 207.x.x.139 address, my home IP (which is attempting to connect to it) is 68.x.x.206, and the internal IP of the VPN server is 192.x.x.3. Can you determine anything from this?
20110504-newdblog.txt
20110504-newdblog.txt
From the debug you supplied it looks like traffic is definitely reaching the server. i looked at my own vpn setup and can confirm that the right ports are opening. (port 1723)
011-05-04 14:40:14 70.88.37.x:40045 173.9.176.x:1723 70.88.37.93:40045 10.130.10.10:1723 PPTP 2 sec. 1244 956 Close - TCP RST
2011-05-04 14:37:28 70.88.37.x:45829 173.9.176.x:1723 70.88.37.93:45829 10.130.10.10:1723 PPTP 5 sec. 1244 956 Close - TCP RST
Are you able to look at the logs on the server to see if any errors or messages are being generated based on VPn traffic from your public ip address?
from you logs:
ethernet0/0:68.52.93.x/193
---> your public to the server public on port 1723
routed (x_dst_ip 192.168.10.3) from ethernet0/0 (ethernet0/0 in 0) to bgroup0
---> public ip is mapped to internal ip
Permitted by policy 3
----> policy exists to allow traffic
This leads me to believe you juniper config is ok, and the issue may lie elsewhere.
011-05-04 14:40:14 70.88.37.x:40045 173.9.176.x:1723 70.88.37.93:40045 10.130.10.10:1723 PPTP 2 sec. 1244 956 Close - TCP RST
2011-05-04 14:37:28 70.88.37.x:45829 173.9.176.x:1723 70.88.37.93:45829 10.130.10.10:1723 PPTP 5 sec. 1244 956 Close - TCP RST
Are you able to look at the logs on the server to see if any errors or messages are being generated based on VPn traffic from your public ip address?
from you logs:
ethernet0/0:68.52.93.x/193
---> your public to the server public on port 1723
routed (x_dst_ip 192.168.10.3) from ethernet0/0 (ethernet0/0 in 0) to bgroup0
---> public ip is mapped to internal ip
Permitted by policy 3
----> policy exists to allow traffic
This leads me to believe you juniper config is ok, and the issue may lie elsewhere.
ASKER
Ok, thank you as always. I'm acting on your advice and examining the Windows Server 2003 box that was the acting VPN server via Routing and Remote Access. It has two NICs: One routed to a legacy internet connection (that is being depreciated) and one internal NIC (the 192.168.x.3). The VPN server was evidently routed to the old external nic, and needs to be rerouted to the internal NIC so it will respond to the traffic being forwarded from the Juniper.
I just destroyed the old RRAS server connection and attempted to enable VPN on the internal NIC. Once I did that, it broke the internal NIC communication completely, and a user onsite had to manually connect to the console and delete the new RRAS internal NIC server connection. I'm following the walkthrough here:
http://support.microsoft.com/?scid=kb;en-us;323441&x=11&y=3
But, when I completed the last step (right before "How to Configure the VPN Server") on that page, I nor anyone else could connect remotely through any means other than console access.
Do you have any idea how to enable VPN on Windows Server 2003 on an internal NIC without breaking the connection temporarily?
I just destroyed the old RRAS server connection and attempted to enable VPN on the internal NIC. Once I did that, it broke the internal NIC communication completely, and a user onsite had to manually connect to the console and delete the new RRAS internal NIC server connection. I'm following the walkthrough here:
http://support.microsoft.com/?scid=kb;en-us;323441&x=11&y=3
But, when I completed the last step (right before "How to Configure the VPN Server") on that page, I nor anyone else could connect remotely through any means other than console access.
Do you have any idea how to enable VPN on Windows Server 2003 on an internal NIC without breaking the connection temporarily?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.