Solved

Juniper SSG350M accepting Cisco IPSEC vpn connection

Posted on 2014-12-19
10
172 Views
Last Modified: 2015-01-23
I have a Juniper SSG350M with firmware 6.3.0r17.0 and am using ScreenOS WebUI.  I need to let someone vpn in from a vpnc version 0.5.3r512 without creating a site to site vpn.  I'm not sure if it is possible to allow a Cisco IPsec vpn connection from a vpnc  client.  I need to allow someone access to a certain port on one of my servers.  Can someone confirm that this can be done and possibly put me in the right direction?  Thanks in advance.
0
Comment
Question by:jdltek
  • 5
  • 5
10 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 40509740
Juniper ScreenOS is supported by vpnc, according to https://www.unix-ag.uni-kl.de/~massar/vpnc/.
So it should only be a matter of setting compatible IPSec and IKE parameters on both sides.
0
 

Author Comment

by:jdltek
ID: 40512082
Wouldn't that be a point to point connection?  I need it to be initiated from the vpnc side.  I was told by the person using the vpnc that they won't setup a site to site connection.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40512136
Why should you think that? vpnc is a client, creating a client-2-site (or dial-in) connection.
0
Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

 

Author Comment

by:jdltek
ID: 40515001
Sorry, I did not realize it was a client.  I have created a dialup vpn with screenos by following the following article, but it still isn't connecting.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14878
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40515138
The config example looks correct.
Any details? The vpnc client telling something? You should have at least an indication how far the connection negotiation is processing.
0
 

Author Comment

by:jdltek
ID: 40515172
VPN client returned 'vpnc: no response from target '.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40516409
That is indeed not helpful. Did you check the vpnc settings for using the same parameters?
Try to get something more informative from the client, and/or use the debugging features of ScreenOS. That is, on SSG in (telnet) CLI:
set sa-filter public.ip.of.vpnclient
clear dbuf
debug ike info
    now use vpnc, and wait some seconds
undebug all
get dbuf stream

Open in new window

Be prepared to get a lot of log data. We are especially after messages written in all caps, like NO_PROPOSAL_CHOSEN.
0
 

Author Comment

by:jdltek
ID: 40521799
This is the log file they sent me.    I don't see NO_PROPOSAL_CHOSEN.
comment.txt
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40522003
vpnc is sending 24 (!) proposals, and the SSG might ignore anything beyond the forth (#3) (or not). If you used the config example provided by Juniper, an appropriate proposal is #6 (the seventh one). Since there is nothing in the protocol than the initial packet, I assume the proposal is the issue.
Configure the SSG to use this as the first proposal (this is the first sent by vpnc):
  AES 256bit, SHA-1, DH-2 (1024bit)

Again, you will get more details if you start debugging on SSG while vpnc connects.
0
 

Author Closing Comment

by:jdltek
ID: 40566633
I'm sorry I did not get back to you.  I had them go through their client and make everything match what I had setup.  Thanks again!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5500 Series Site-to-Site Azure 6 115
Routing between two networks? 10 87
Business Broadband for Small Office in Dubai 2 91
IPsec VPN - which encryption? 5 53
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question