Solved

Juniper SSG350M accepting Cisco IPSEC vpn connection

Posted on 2014-12-19
10
171 Views
Last Modified: 2015-01-23
I have a Juniper SSG350M with firmware 6.3.0r17.0 and am using ScreenOS WebUI.  I need to let someone vpn in from a vpnc version 0.5.3r512 without creating a site to site vpn.  I'm not sure if it is possible to allow a Cisco IPsec vpn connection from a vpnc  client.  I need to allow someone access to a certain port on one of my servers.  Can someone confirm that this can be done and possibly put me in the right direction?  Thanks in advance.
0
Comment
Question by:jdltek
  • 5
  • 5
10 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 40509740
Juniper ScreenOS is supported by vpnc, according to https://www.unix-ag.uni-kl.de/~massar/vpnc/.
So it should only be a matter of setting compatible IPSec and IKE parameters on both sides.
0
 

Author Comment

by:jdltek
ID: 40512082
Wouldn't that be a point to point connection?  I need it to be initiated from the vpnc side.  I was told by the person using the vpnc that they won't setup a site to site connection.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40512136
Why should you think that? vpnc is a client, creating a client-2-site (or dial-in) connection.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jdltek
ID: 40515001
Sorry, I did not realize it was a client.  I have created a dialup vpn with screenos by following the following article, but it still isn't connecting.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14878
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40515138
The config example looks correct.
Any details? The vpnc client telling something? You should have at least an indication how far the connection negotiation is processing.
0
 

Author Comment

by:jdltek
ID: 40515172
VPN client returned 'vpnc: no response from target '.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40516409
That is indeed not helpful. Did you check the vpnc settings for using the same parameters?
Try to get something more informative from the client, and/or use the debugging features of ScreenOS. That is, on SSG in (telnet) CLI:
set sa-filter public.ip.of.vpnclient
clear dbuf
debug ike info
    now use vpnc, and wait some seconds
undebug all
get dbuf stream

Open in new window

Be prepared to get a lot of log data. We are especially after messages written in all caps, like NO_PROPOSAL_CHOSEN.
0
 

Author Comment

by:jdltek
ID: 40521799
This is the log file they sent me.    I don't see NO_PROPOSAL_CHOSEN.
comment.txt
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40522003
vpnc is sending 24 (!) proposals, and the SSG might ignore anything beyond the forth (#3) (or not). If you used the config example provided by Juniper, an appropriate proposal is #6 (the seventh one). Since there is nothing in the protocol than the initial packet, I assume the proposal is the issue.
Configure the SSG to use this as the first proposal (this is the first sent by vpnc):
  AES 256bit, SHA-1, DH-2 (1024bit)

Again, you will get more details if you start debugging on SSG while vpnc connects.
0
 

Author Closing Comment

by:jdltek
ID: 40566633
I'm sorry I did not get back to you.  I had them go through their client and make everything match what I had setup.  Thanks again!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question