[Openswan Users] Openswan and Juniper Netscreen ?

Paul Overton paul at trusted-management.com
Tue Jul 10 06:36:47 EDT 2007


Is your Netscreen device using a routed VPN ? If so you should also use proxy ID such that you are only creating a routed VPN without using the firewall policy to determine the VPN structure.


The config below with PSK usually works with Netscreen devices, though you may need to change the encryption types to suite your Openswan and Netscreen devices. This can also be made to work with X509 using ASN1=DN ID's 

conn netscreen
        type=tunnel
        auto=start
        auth=esp
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        authby=secret
        keyexchange=ike
        keylife=8h
        keyingtries=0
        pfs=yes
        rekey=yes
        left=xxx.xxx.xxx.xxx
        leftnexthop=xxx.xxx.xxx.xxx
        leftsubnet=xxx.xxx.xxx.xxx/xx
        leftid=xxx.xxx.xxx.xxx
        right=zzz.zzz.zzz.zzz
        rightsubnet=zzz.zzz.zzz.zzz/zz
        rightnexthop=zzz.zzz.zzz.zzz
        rightid=zzz.zzz.zzz.zzz

If your netscreen is behind a NAT device you will need to enable NAT-T on the netscreen as well as with Openswan.

Regards Paul

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Eric Langheinrich
Sent: 03 July 2007 16:59
To: users at openswan.org
Subject: Re: [Openswan Users] Openswan and Juniper Netscreen ?

I am having the same problems trying to get openswan to connect to a Netscreen device. Is there a good guide to follow? 


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Bartz, Joerg
Sent: Tuesday, July 03, 2007 8:45 AM
To: users at openswan.org
Subject: Re: [Openswan Users] Openswan and Juniper Netscreen ?

Hi Noc,

Is PFS also disabled on the netscreen?

What does the log on the netscreen say? I have this running at a customers'
place, had no difficulty setting it up...

Best regards,

Jörg
 

-----Ursprüngliche Nachricht-----
Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im Auftrag von Noc Phibee
Gesendet: Dienstag, 3. Juli 2007 06:09
An: users at openswan.org
Betreff: [Openswan Users] Openswan and Juniper Netscreen ?

Hi

i want connect my linux box to a Juniper Netscreen ...
but at this time, that's don't work ...

This is my config:

conn My-Netscreen
        left=84.14.XX.XX         # (IP of my eth0 connected to internet)
        leftsubnet=192.168.57.0/255.255.255.0  #( my network)
        leftnexthop=84.14.XX.XX #(my gateway)
        right=194.98.XX.XX #(IP of my netscreen on internet)
        rightsubnet=194.103.XX.XX/32
        auto=start
        authby=secret
        ike=3des-sha1
        ikelifetime=60s
        keylife=120s
        rekeymargin=10s
        #pfs=no
        #aggrmode=no
        spi=0x500
        esp=3des-md5

and he don't connect, this is the log message:

Jul  3 06:04:33 gw ipsec__plutorun: Starting Pluto subsystem...
Jul  3 06:04:33 gw pluto[28470]: Starting Pluto (Openswan Version 2.4.5
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEnMCu\177xOp at c)
Jul  3 06:04:33 gw pluto[28470]: Setting NAT-Traversal port-4500 floating to off
Jul  3 06:04:33 gw pluto[28470]:    port floating activation criteria 
nat_t=0/port_fload=1
Jul  3 06:04:33 gw pluto[28470]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Jul  3 06:04:33 gw pluto[28470]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul  3 06:04:33 gw pluto[28470]: starting up 1 cryptographic helpers Jul  3
06:04:33 gw pluto[28470]: started helper pid=28471 (fd:6) Jul  3 06:04:33 gw
pluto[28470]: Using Linux 2.6 IPsec interface code on 2.6.12-12mdk Jul  3
06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/cacerts'
Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/aacerts'
Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/ocspcerts'
Jul  3 06:04:33 gw pluto[28470]: Could not change to directory '/etc/openswan/ipsec.d/crls'
Jul  3 06:04:34 gw pluto[28470]: added connection description "My-Netscreen"
Jul  3 06:04:35 gw pluto[28470]: listening for IKE messages Jul  3 06:04:35 gw pluto[28470]: adding interface tun1/tun1 192.168.150.129:500 Jul  3
06:04:35 gw pluto[28470]: adding interface tun0/tun0 192.168.150.1:500 Jul
3 06:04:35 gw pluto[28470]: adding interface eth1/eth1 192.168.57.37:500 Jul
3 06:04:35 gw pluto[28470]: adding interface eth0/eth0 84.14.XX.XX:500 Jul
3 06:04:35 gw pluto[28470]: adding interface lo/lo 127.0.0.1:500 Jul  3
06:04:35 gw pluto[28470]: adding interface lo/lo ::1:500 Jul  3 06:04:35 gw
pluto[28470]: loading secrets from "/etc/openswan/ipsec.secrets"
Jul  3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: initiating Main Mode Jul
3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: ignoring unknown Vendor ID payload [47d2b126bfcd83489760e2cf8c5d4d5a03497c150000000300000500]
Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100] Jul  3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2 Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1:
STATE_MAIN_I2: sent MI2, expecting MR2 Jul  3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: I did not send a certificate because I do not have one.
Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3 Jul  3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jul  3 06:06:57 gw
pluto[29062]: "My-Netscreen" #1: Main mode peer ID is
ID_IPV4_ADDR: '194.98.XX.XX'
Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4 Jul  3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: STATE_MAIN_I4: 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} Jul  3 06:06:57 gw
pluto[29062]: "My-Netscreen" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Jul  3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN Jul  3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: received and ignored informational message


i don't understand the problems,

thanks for your help

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Users mailing list