[Openswan Users] Juniper/Netscreen-5GT to OpenSwan IPSec VPN Tunnel

Greg Michaels greg.michaels at vyatta.com
Tue Jan 30 18:09:54 EST 2007 

OpenSwan Details:

 

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface

10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0
eth7

10.6.0.0        0.0.0.0         255.255.255.0   U         0 0          0
eth2

10.6.0.0        192.168.1.1     255.255.255.0   UG        0 0          0
eth2

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0
eth2

0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0
eth2

 

conn peer-192.168.1.1-tunnel-1

        left=192.168.1.10

        right=192.168.1.1

        type=tunnel

        authby=secret

        leftsubnet=10.0.0.0/24

        rightsubnet=10.6.0.0/24

        ike=3des-md5-modp1024

        esp=3des-md5

        auto=start

 

+ ipsec verify --nocolour

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.4.6/K2.6.19 (netkey)

Checking for IPsec support in kernel                            [OK]

NETKEY detected, testing for disabled ICMP send_redirects       [OK]

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]

  ipsec showhostkey: no default key in "/etc/ipsec.secrets"

Checking that pluto is running                                  [OK]

Two or more interfaces found, checking IP forwarding            [OK]

Checking NAT and MASQUERADEing                                  [OK]

Checking for 'ip' command                                       [OK]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]

 

Netscreen Details:

 

VPN Name       SA ID               Policy ID          Peer Gateway IP
Type                SA Status             Link

OFR                 00000001          -1/-1                 192.168.1.10
AutoIKE            Active               Down

 

Netscreen Logs:

 

2007-01-30 15:54:16     info       IKE<192.168.1.10> Phase 2 msg ID
<19213d78>: Completed negotiations with SPI <9351c5c3>, tunnel ID <1>, and
lifetime <3600> seconds/<0> KB.

2007-01-30 15:54:16     info       IKE<192.168.1.10> Phase 2 msg ID
<19213d78>: Responded to the peer's first message.

2007-01-30 15:54:15     info       IKE<192.168.1.10> Phase 1: Completed
Main mode negotiations with a <28800>-second lifetime.

2007-01-30 15:54:15     info       IKE<192.168.1.10> Phase 1: Responder
starts MAIN mode negotiations.

2007-01-30 15:54:10     info       Rapid Deployment cannot start because
gateway has undergone configuration changes.

2007-01-30 15:54:10     notif      System was reset at 2007-01-26 17:25:10
by netscreen

2007-01-30 15:54:10     notif      System is operational.

2007-01-30 15:54:04     notif      The physical state of interface untrust
has changed to Up.

2007-01-30 15:54:04     notif      The physical state of interface trust
has changed to Up.

 

Netscreen Config:

 

get config

Total Config size 3514:

set clock timezone 0

set vrouter trust-vr sharable

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset auto-route-export

exit

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "netscreen"

set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"

set admin auth timeout 10

set admin auth server "Local"

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Untrust-Tun" vrouter "trust-vr"

set zone "Trust" tcp-rst 

set zone "Untrust" block 

unset zone "Untrust" tcp-rst 

set zone "MGT" block 

set zone "VLAN" block 

unset zone "VLAN" tcp-rst 

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set interface "trust" zone "Trust"

set interface "untrust" zone "Untrust"

set interface "tunnel.1" zone "Trust"

unset interface vlan1 ip

set interface trust ip 192.168.1.1/24

set interface trust route

set interface untrust ip 10.6.0.3/24

set interface untrust route

set interface tunnel.1 ip unnumbered interface trust

set interface untrust gateway 10.6.0.1

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface trust ip manageable

set interface untrust ip manageable

set interface trust manage mtrace

set flow tcp-mss

unset flow tcp-syn-check

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set ike gateway "OFR" address 192.168.1.10 Main outgoing-interface "trust"
preshare "Q6pubUs7NGKf+3sa2sCVFzDMDgn4Wofw0A==" proposal "pre-g2-3des-sha"
"pre-g2-3des-md5" "pre-g2-aes128-md5" "pre-g2-aes128-sha"

set ike gateway "OFR" cert peer-ca all

set ike respond-bad-spi 1

unset ike ikeid-enumeration

unset ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 0

set ipsec access-session lower-threshold 0

set ipsec access-session dead-p2-sa-timeout 0

unset ipsec access-session log-error

unset ipsec access-session info-exch-connected

unset ipsec access-session use-error-log

set vpn "OFR" gateway "OFR" no-replay tunnel idletime 0 proposal
"g2-esp-3des-md5"  "g2-esp-3des-sha"  "g2-esp-aes128-md5"
"g2-esp-aes128-sha" 

set vpn "OFR" monitor

set vpn "OFR" id 1 bind interface tunnel.1

set url protocol websense

exit

set vpn "OFR" proxy-id local-ip 10.6.0.0/24 remote-ip 10.0.0.0/24 "ANY" 

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 

set policy id 1

exit

set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 

set policy id 2

exit

set monitor cpu 100

set global-pro policy-manager primary outgoing-interface untrust

set global-pro policy-manager secondary outgoing-interface untrust

set nsmgmt bulkcli reboot-timeout 60

set ssh version v2

set config lock timeout 5

set modem speed 115200

set modem retry 3

set modem interval 10

set modem idle-time 10

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset add-default-route

exit

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

exit

ns5gt->

 

  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Michaels
Sent: Tuesday, January 30, 2007 1:28 PM
To: users at openswan.org
Subject: [Openswan Users] Juniper/Netscreen-5GT to OpenSwan IPSec VPN
Tunnel

 

I am looking for a working configuration from Juniper/Netscreen to
OpenSwan using Netkey or someone who can assist me with my current
configuration. I post my configuration for both boxes along with the
latest logs.

 

I have configured both ends and believe I have passed the initial exchange
for Phase I and also exchanged the Phase II negotiations for SPI, Tunnel
ID and lifetime. I believe that my issue lays in the Phase II custom
Proposals not negotiating?

 

Netscreen/Juniper-5GT to OpenSwan:

                                    

Untrusted                     Trusted Tunnel

10.6.0.0/24                   192.168.1.0/24       10.0.0.0/24

                 _________                                 ________

10.6.0.3|---|Netscreen|.1-------------------.10|OpenSwan
|---|10.0.0.233/24

 

Notes: Untrusted is really also Trusted because I have the firewall open
for testing

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070130/bb70c019/attachment-0001.html

More information about the Users mailing list