?
Solved

Juniper SSG350M accepting Cisco IPSEC vpn connection

Posted on 2014-12-19
10
Medium Priority
?
181 Views
Last Modified: 2015-01-23
I have a Juniper SSG350M with firmware 6.3.0r17.0 and am using ScreenOS WebUI.  I need to let someone vpn in from a vpnc version 0.5.3r512 without creating a site to site vpn.  I'm not sure if it is possible to allow a Cisco IPsec vpn connection from a vpnc  client.  I need to allow someone access to a certain port on one of my servers.  Can someone confirm that this can be done and possibly put me in the right direction?  Thanks in advance.
0
Comment
Question by:jdltek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 71

Expert Comment

by:Qlemo
ID: 40509740
Juniper ScreenOS is supported by vpnc, according to https://www.unix-ag.uni-kl.de/~massar/vpnc/.
So it should only be a matter of setting compatible IPSec and IKE parameters on both sides.
0
 

Author Comment

by:jdltek
ID: 40512082
Wouldn't that be a point to point connection?  I need it to be initiated from the vpnc side.  I was told by the person using the vpnc that they won't setup a site to site connection.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40512136
Why should you think that? vpnc is a client, creating a client-2-site (or dial-in) connection.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:jdltek
ID: 40515001
Sorry, I did not realize it was a client.  I have created a dialup vpn with screenos by following the following article, but it still isn't connecting.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14878
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40515138
The config example looks correct.
Any details? The vpnc client telling something? You should have at least an indication how far the connection negotiation is processing.
0
 

Author Comment

by:jdltek
ID: 40515172
VPN client returned 'vpnc: no response from target '.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40516409
That is indeed not helpful. Did you check the vpnc settings for using the same parameters?
Try to get something more informative from the client, and/or use the debugging features of ScreenOS. That is, on SSG in (telnet) CLI:
set sa-filter public.ip.of.vpnclient
clear dbuf
debug ike info
    now use vpnc, and wait some seconds
undebug all
get dbuf stream

Open in new window

Be prepared to get a lot of log data. We are especially after messages written in all caps, like NO_PROPOSAL_CHOSEN.
0
 

Author Comment

by:jdltek
ID: 40521799
This is the log file they sent me.    I don't see NO_PROPOSAL_CHOSEN.
comment.txt
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 40522003
vpnc is sending 24 (!) proposals, and the SSG might ignore anything beyond the forth (#3) (or not). If you used the config example provided by Juniper, an appropriate proposal is #6 (the seventh one). Since there is nothing in the protocol than the initial packet, I assume the proposal is the issue.
Configure the SSG to use this as the first proposal (this is the first sent by vpnc):
  AES 256bit, SHA-1, DH-2 (1024bit)

Again, you will get more details if you start debugging on SSG while vpnc connects.
0
 

Author Closing Comment

by:jdltek
ID: 40566633
I'm sorry I did not get back to you.  I had them go through their client and make everything match what I had setup.  Thanks again!
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question