Solved

Juniper SSG350M accepting Cisco IPSEC vpn connection

Posted on 2014-12-19
10
167 Views
Last Modified: 2015-01-23
I have a Juniper SSG350M with firmware 6.3.0r17.0 and am using ScreenOS WebUI.  I need to let someone vpn in from a vpnc version 0.5.3r512 without creating a site to site vpn.  I'm not sure if it is possible to allow a Cisco IPsec vpn connection from a vpnc  client.  I need to allow someone access to a certain port on one of my servers.  Can someone confirm that this can be done and possibly put me in the right direction?  Thanks in advance.
0
Comment
Question by:jdltek
  • 5
  • 5
10 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 40509740
Juniper ScreenOS is supported by vpnc, according to https://www.unix-ag.uni-kl.de/~massar/vpnc/.
So it should only be a matter of setting compatible IPSec and IKE parameters on both sides.
0
 

Author Comment

by:jdltek
ID: 40512082
Wouldn't that be a point to point connection?  I need it to be initiated from the vpnc side.  I was told by the person using the vpnc that they won't setup a site to site connection.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40512136
Why should you think that? vpnc is a client, creating a client-2-site (or dial-in) connection.
0
 

Author Comment

by:jdltek
ID: 40515001
Sorry, I did not realize it was a client.  I have created a dialup vpn with screenos by following the following article, but it still isn't connecting.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14878
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40515138
The config example looks correct.
Any details? The vpnc client telling something? You should have at least an indication how far the connection negotiation is processing.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:jdltek
ID: 40515172
VPN client returned 'vpnc: no response from target '.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40516409
That is indeed not helpful. Did you check the vpnc settings for using the same parameters?
Try to get something more informative from the client, and/or use the debugging features of ScreenOS. That is, on SSG in (telnet) CLI:
set sa-filter public.ip.of.vpnclient
clear dbuf
debug ike info
    now use vpnc, and wait some seconds
undebug all
get dbuf stream

Open in new window

Be prepared to get a lot of log data. We are especially after messages written in all caps, like NO_PROPOSAL_CHOSEN.
0
 

Author Comment

by:jdltek
ID: 40521799
This is the log file they sent me.    I don't see NO_PROPOSAL_CHOSEN.
comment.txt
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40522003
vpnc is sending 24 (!) proposals, and the SSG might ignore anything beyond the forth (#3) (or not). If you used the config example provided by Juniper, an appropriate proposal is #6 (the seventh one). Since there is nothing in the protocol than the initial packet, I assume the proposal is the issue.
Configure the SSG to use this as the first proposal (this is the first sent by vpnc):
  AES 256bit, SHA-1, DH-2 (1024bit)

Again, you will get more details if you start debugging on SSG while vpnc connects.
0
 

Author Closing Comment

by:jdltek
ID: 40566633
I'm sorry I did not get back to you.  I had them go through their client and make everything match what I had setup.  Thanks again!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now