[Openswan Users] openswan to netscreen

Daren Hickman DarenHickman at ruggedcom.com
Wed Apr 5 17:12:56 CEST 2006 

I am trying to establish a PSK VPN to a netscreen 5xt using OS5 and openswan 2.2.0.  I have created a tunnel between the two devices and established a phase 2 SA but I can only ping from the openswan side to the netscreen subnet and not from netscreen to openswan subnet.  I have searched the archives and cannot find any configs that work (Paul I bought your book).  My configuration is below.  Any ideas?
 
host 192.168.200.114      192.168.200.1netscreen 2.2.2.1==1.1.1.1openswan 192.168.100.34 host 192.168.100.33
conn netscreen

keyingtries=3

pfs=yes

keylife=3600

authby=secret

auto=add

esp=3des,aes

left=%defaultroute

leftid=1.1.1.1

leftsubnet=192.168.100.0/24

right=2.2.2.1

rightsubnet=192.168.200.0/24

 

 

set clock timezone -5

set vrouter trust-vr sharable

set vrouter "trust-vr" auto-route-export

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth-server "DefL2TPAuthServer" id 1

set auth-server "DefL2TPAuthServer" account-type l2tp 

set auth default auth server "Local"

set admin name "netscreen"

set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"

set admin auth timeout 0

set admin auth server "Local"

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Trust" tcp-rst 

set zone "Untrust" block 

unset zone "Untrust" tcp-rst 

set zone "MGT" block 

set zone "VLAN" block 

set zone "VLAN" tcp-rst 

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ip-spoofing

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ip-spoofing

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set zone "Untrust" screen ip-sweep threshold 30000

set zone "V1-Untrust" screen ip-sweep threshold 30000

set interface "trust" zone "Trust"

set interface "untrust" zone "Untrust"

set interface "tunnel.1" zone "Trust"

unset interface vlan1 ip

set interface trust ip 192.168.200.1/24

set interface trust nat

set interface untrust ip 2.2.2.1/24

set interface untrust route

set interface tunnel.1 ip unnumbered interface untrust

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface untrust manage-ip 2.2.2.3

set interface trust ip manageable

set interface untrust ip manageable

unset interface trust manage snmp

unset interface trust manage ssl

set interface untrust manage ping

set interface untrust manage ssh

set interface untrust manage telnet

set interface untrust manage web

set interface trust dhcp server service

set interface trust dhcp server auto

set interface trust dhcp server option lease 1440000 

set interface trust dhcp server option gateway 192.168.200.1 

set interface trust dhcp server option netmask 255.255.255.0 

set interface trust dhcp server option dns1 205.152.144.23 

set interface trust dhcp server option dns2 205.152.132.23 

set interface trust dhcp server ip 192.168.200.100 to 192.168.200.199 

set flow tcp-mss 1392

set domain test

set hostname NS5XT

set webauth banner success "Remote Management Console"

set dns host dns1 205.152.144.23

set dns host dns2 205.152.132.23

set dns host schedule 00:00

set address "Trust" "192.168.200.0/24" 192.168.200.0 255.255.255.0

set address "Trust" "192.168.200.114/32" 192.168.200.114 255.255.255.255

set address "Trust" "_192.168.1.0/24" 192.168.1.0 255.255.255.0

set address "Trust" "_192.168.4.0/24" 192.168.4.0 255.255.255.0

set address "Trust" "local lan" 192.168.200.0 255.255.255.0

set address "Untrust" "192.168.100.0/24" 192.168.100.0 255.255.255.0

set user "joe" uid 3

set user "joe" ike-id u-fqdn "joegould at bellsouth.net" share-limit 1

set user "joe" type ike

set user "joe" "enable"

set ike p1-proposal "dial-up vpn:*g2-3des-sha" preshare group2 esp 3des sha-1 hour 8

set ike p1-proposal "dial up vpn:*g2-3des-sha" preshare group2 esp 3des sha-1 hour 8

set ike p2-proposal "dial up vpn:*esp-3des-sha" no-pfs esp 3des sha-1 hour 1

set ike gateway "router" address 1.1.1.1 Main outgoing-interface "untrust" preshare "9s5fam3BN7B0VlsAxHC53oEh6Wn7UrtXNg==" proposal "pre-g2-3des-sha" "pre-g2-aes128-sha"

set ike respond-bad-spi 1

set vpn "vpn" gateway "router" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha" "g2-esp-3des-md5" "g2-esp-aes128-md5" 

set vpn "vpn" monitor source-interface trust destination-ip 192.168.100.33

set vpn-group id 1

set vpn-group id 2

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set group address "Trust" "internal lan"

set group address "Trust" "internal lan" add "_192.168.1.0/24"

set group address "Trust" "internal lan" add "_192.168.4.0/24"

set policy id 1 from "Trust" to "Untrust" "192.168.200.0/24" "192.168.100.0/24" "ANY" tunnel vpn "vpn" id 1 pair-policy 2 log 

set policy id 3 name "test" from "Trust" to "Untrust" "Any" "Any" "ANY" permit log 

set policy id 3 disable

set policy id 2 from "Untrust" to "Trust" "192.168.100.0/24" "192.168.200.0/24" "ANY" tunnel vpn "vpn" id 1 pair-policy 1 log 

set policy id 4 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log 

set policy id 4 disable

set vpn "vpn" proxy-id local-ip 192.168.200.0/24 remote-ip 192.168.100.0/24 "ANY"

set pppoe name "untrust"

set pppoe name "untrust" username "joegould at bellsouth.net" password "rmudMbB2NxSexdsCNyCetogrD/no6frU+A=="

set pppoe name "untrust" idle 0

unset pppoe name "untrust" update-dhcpserver

set pppoe name "untrust" ppp lcp-echo-retries 5

set pppoe name "untrust" auto-connect 10

set ssh version v2

set config lock timeout 5

set ntp server "0.0.0.0"

set ntp server backup1 "0.0.0.0"

set ntp server backup2 "0.0.0.0"

set modem speed 115200

set modem retry 3

set modem interval 10

set modem idle-time 10

set snmp name "NS5XT"

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

set max-routes 1024

exit

set vrouter "trust-vr"

set max-routes 1024

set preference ebgp 250

set preference ibgp 40

unset add-default-route

set route 1.1.1.0/24 interface untrust gateway 2.2.2.2

exit

More information about the Users mailing list