dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4720
share rss forum feed


aa2k

join:2000-10-06
Damascus, MD

3 edits

netscreen 5GT and Win 7 Native VPN connection help.

Hi,
Quick question, maybe someone has something like this already working and like to share the configuration...

I currently have a Juniper netscreen 5GT connected at home and I use Shrew Soft client to connect to it (VPN) when traveling, it works great but I wonder if someone here has gotten a Windows 7 native VPN client working to connect to it (either 5GT,SSG5 or SSG20 since they are basically the same) so I dont have to use the Shrew client software.

The setup I have is connecting to the 5GT behind the firewall with a 192.168.1.# IP, I think the problem is because the 5GT is sitting behind the Actiontec (MI424-WR) router but it should be a way around it I would think:

Internet --> Fios/Actiontec --> 5GT (local IP on Untrust port)

So I am forwarding the ports (IPSec/ESP/HA,1701 and 4500 UDP) from the Actiontec to the 5GT (same ports/protocols work great when connecting with ShrewSoft software).

I have tried different combinations I found on the net with no success.. also followed step by step the KB from Juniper (but creating my own signed certificates, would be nice to be able to do this without the need of certificates but I have not found anything on the web) combining the WinXP and Win7 configs as mentioned here:
»kb.juniper.net/InfoCenter/index?···=KB16075

I got tired and frustrated of this and dumped the config/idea awhile back, I am rethinking to visit this idea again... it would be nice to have it working this way too... hoping someone has finally made it work.

Anyone with this setup??

This is the config I used just in case...

unset key protection enable
set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "phxxxm"
set admin password "nIrXPWxxxIMCcC4MjsVPDsOtcCIDjn"
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.2.91/24
set interface trust nat
set interface untrust ip 192.168.1.91/24
set interface untrust nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage ssl
set interface untrust manage web
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set dbuf usb filesize 0
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn country-name "US"
set pki x509 dn state-name "MD"
set pki x509 dn org-name "Home Inc."
set pki x509 dn name "Home Firewall"
set pki x509 cert-fqdn gxxxxx.dyndns.biz
set dns host dns1 4.2.2.1
set dns host dns2 4.2.2.2
set dns host dns3 0.0.0.0
set ippool "L2TP_pool" 192.168.2.100 192.168.2.120
set user "axxxxn" uid 1
set user "axxxxn" ike-id asn1-dn wildcard "CN=gxxxxx.dyndns.biz,OU=Home,O=,L=,ST=Maryland,C=US,Email=,DC=," share-limit 1
set user "axxxxn" type ike l2tp
set user "axxxxn" password "1+GPayxxxx0G6usjQHCTZ62I4hnumwe0Zg=="
unset user "axxxxn" type auth
set user "axxxxn" "enable"
set crypto-policy
exit
set ike p2-proposal "nopfs-esp-3des-sha-windows7" no-pfs esp 3des sha-1 second 3600 kbyte 250000
set ike p2-proposal "nopfs-esp-aes128-sha-windows7" no-pfs esp aes128 sha-1 second 3600 kbyte 250000
set ike gateway "WinVPN_gateway" dialup "axxxxn" Main outgoing-interface "untrust" proposal "rsa-g2-des-md5" "rsa-g2-3des-md5" "rsa-g2-des-sha" "rsa-g2-3des-sha"
set ike gateway "WinVPN_gateway" cert peer-ca all
unset ike gateway "WinVPN_gateway" nat-traversal udp-checksum
set ike gateway "WinVPN_gateway" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "WinVPN-vpn" gateway "WinVPN_gateway" no-replay transport idletime 0 proposal "nopfs-esp-3des-sha-windows7"  "nopfs-esp-aes128-sha-windows7"  "nopfs-esp-des-sha"  "nopfs-esp-des-md5" 
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default ippool "L2TP_pool"
set l2tp "WinVPN_l2tp" id 1 outgoing-interface trust keepalive 60
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 
set policy id 2
set log session-init
exit
set nsmgmt report alarm traffic enable
set nsmgmt report alarm attack enable
set nsmgmt report alarm other enable
set nsmgmt report alarm di enable
set nsmgmt report log config enable
set nsmgmt report log info enable
set nsmgmt report log self enable
set nsmgmt report log traffic enable
set nsmgmt init id CB3C3FA39F3BA08FA0649ADDF9EFC69D6115E1A400
set nsmgmt server primary 192.168.1.215 port 7800
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt hb-interval 20
set nsmgmt hb-threshold 5
set nsmgmt enable
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "192.168.1.36"
set ntp max-adjustment 10
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway 192.168.1.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
 
 

HELLFIRE
Premium
join:2009-11-25
kudos:18
said by aa2k:

but I wonder if someone here has gotten a Windows 7 native VPN client working to connect to it (either 5GT,SSG5 or SSG20 since they are basically the same)

By "Windows 7 native VPN client," I presume you are referring to Windows PPTP VPN? If so,

a) it's a completely different set of ports than traditional IPSec -- protocol 47 and TCP 1723

b) PPTP VPN is also ALOT less secure than IPSec -- see here and here

c) IIRC netscreen can pass the PPTP VPN ports back to a host on the Trust side but doesn't do PPTP VPN natively.

What is your ultimate aim, just out of curiousity?

Regards


aa2k

join:2000-10-06
Damascus, MD
Hi,
Actually, I am trying to do L2TP over IPsec (using UDP port 1701, UDP port 500, and IP Protocol 50) see here:
»kb.juniper.net/InfoCenter/index?···d=KB4044

PPTP would be if I want to terminate windows 7 to a windows server but I am trying native connection from Windows 7 to the Juniper and it does not work PPTP in that case. I have used 1723 and GRE (47) before if terminate it to WIn2k3 server - I agree than PPTP is less secure.

As I mentioned I alredy have it running IPSec using Shrew software and it works great, I am actually in the process of transfering the config to a SSG5 now. Sometimes I am out without my laptop on hand and I get my hands on a loaner pc from afriend and I need to connect remotly, its a lot easier just do a quick connect using windows 7 native than installing the full client software.. just as a personal goal to do it this way.. just a challenge..

I have read on some post on the web that a couple of poeple have achieved this but they never seem to explain what they did exactly... posts are usually old so there is no follow up...

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to aa2k
Okay, that clarifies things greatly aa2k.

I have to admit I'm at a loss with L2tp. Checking my own reference material, I don't have a useable config or guide,
and a very vague statement "L2TP-over-IPSec requires two things: IPSec andL2P tunnels to be set up with the same
endpoints and then linked together in a policy, and the IPSec tunnel must be in transport mode."

From a practical side, keep the shrewsoft client software on a flash disk incase you do have to use a loaner.

Sorry couldn't be more help.

Regards


Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric

1 edit
reply to aa2k
have you not seen this: »kb.juniper.net/InfoCenter/index?···d=KB4094

it seems pretty straight forward...

also, I thought l2tp over ipsec does not work with NAT or may have issue... anyway, »www.ivpn.net/knowledgebase/62/PP···VPN.html


aa2k

join:2000-10-06
Damascus, MD
Thanks for the links, very interesting info.. I appreciate it.

Yes, l2tp can be done with NAT (if achieved) but with some issues to even get it up but not impossible and that is the difficulty I am facing.. not critical, just that I would like to be able to do it; it would be nice if I could.

Thanks!