[Openswan Users] Openswan and Juniper Netscreen ?
Eric Langheinrich
openswan at eric.unspam.com
Tue Jul 10 08:58:45 EDT 2007
I am actually trying to get openswan to act as a roadwarrior/dial up VPN
connection to my Netscreens. I have a couple of developers that use only
linux and need to be able to connect to my networks for various reasons.
So, no not a routed VPN where the proxy IDs will match based on IP address.
In the testing I did with juniper support I was able to get Phase 1 to
connect and prompt for user name etc...but before the netscreen saw phase 1
complete the openswan client would send phase 2 packets. Could never get
past that point. I believe I sent an earlier email with the log snippets.
Thanks for the help,
Eric
-----Original Message-----
From: Paul Overton [mailto:paul at trusted-management.com]
Sent: Tuesday, July 10, 2007 4:37 AM
To: Eric Langheinrich; users at openswan.org
Subject: RE: [Openswan Users] Openswan and Juniper Netscreen ?
Is your Netscreen device using a routed VPN ? If so you should also use
proxy ID such that you are only creating a routed VPN without using the
firewall policy to determine the VPN structure.
The config below with PSK usually works with Netscreen devices, though you
may need to change the encryption types to suite your Openswan and Netscreen
devices. This can also be made to work with X509 using ASN1=DN ID's
conn netscreen
type=tunnel
auto=start
auth=esp
ike=aes256-sha1-modp1024
esp=aes256-sha1
authby=secret
keyexchange=ike
keylife=8h
keyingtries=0
pfs=yes
rekey=yes
left=xxx.xxx.xxx.xxx
leftnexthop=xxx.xxx.xxx.xxx
leftsubnet=xxx.xxx.xxx.xxx/xx
leftid=xxx.xxx.xxx.xxx
right=zzz.zzz.zzz.zzz
rightsubnet=zzz.zzz.zzz.zzz/zz
rightnexthop=zzz.zzz.zzz.zzz
rightid=zzz.zzz.zzz.zzz
If your netscreen is behind a NAT device you will need to enable NAT-T on
the netscreen as well as with Openswan.
Regards Paul
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Eric Langheinrich
Sent: 03 July 2007 16:59
To: users at openswan.org
Subject: Re: [Openswan Users] Openswan and Juniper Netscreen ?
I am having the same problems trying to get openswan to connect to a
Netscreen device. Is there a good guide to follow?
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Bartz, Joerg
Sent: Tuesday, July 03, 2007 8:45 AM
To: users at openswan.org
Subject: Re: [Openswan Users] Openswan and Juniper Netscreen ?
Hi Noc,
Is PFS also disabled on the netscreen?
What does the log on the netscreen say? I have this running at a customers'
place, had no difficulty setting it up...
Best regards,
Jörg
-----Ursprüngliche Nachricht-----
Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im
Auftrag von Noc Phibee
Gesendet: Dienstag, 3. Juli 2007 06:09
An: users at openswan.org
Betreff: [Openswan Users] Openswan and Juniper Netscreen ?
Hi
i want connect my linux box to a Juniper Netscreen ...
but at this time, that's don't work ...
This is my config:
conn My-Netscreen
left=84.14.XX.XX # (IP of my eth0 connected to internet)
leftsubnet=192.168.57.0/255.255.255.0 #( my network)
leftnexthop=84.14.XX.XX #(my gateway)
right=194.98.XX.XX #(IP of my netscreen on internet)
rightsubnet=194.103.XX.XX/32
auto=start
authby=secret
ike=3des-sha1
ikelifetime=60s
keylife=120s
rekeymargin=10s
#pfs=no
#aggrmode=no
spi=0x500
esp=3des-md5
and he don't connect, this is the log message:
Jul 3 06:04:33 gw ipsec__plutorun: Starting Pluto subsystem...
Jul 3 06:04:33 gw pluto[28470]: Starting Pluto (Openswan Version 2.4.5
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEnMCu\177xOp at c)
Jul 3 06:04:33 gw pluto[28470]: Setting NAT-Traversal port-4500 floating to
off
Jul 3 06:04:33 gw pluto[28470]: port floating activation criteria
nat_t=0/port_fload=1
Jul 3 06:04:33 gw pluto[28470]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jul 3 06:04:33 gw pluto[28470]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul 3 06:04:33 gw pluto[28470]: starting up 1 cryptographic helpers Jul 3
06:04:33 gw pluto[28470]: started helper pid=28471 (fd:6) Jul 3 06:04:33 gw
pluto[28470]: Using Linux 2.6 IPsec interface code on 2.6.12-12mdk Jul 3
06:04:33 gw pluto[28470]: Could not change to directory
'/etc/openswan/ipsec.d/cacerts'
Jul 3 06:04:33 gw pluto[28470]: Could not change to directory
'/etc/openswan/ipsec.d/aacerts'
Jul 3 06:04:33 gw pluto[28470]: Could not change to directory
'/etc/openswan/ipsec.d/ocspcerts'
Jul 3 06:04:33 gw pluto[28470]: Could not change to directory
'/etc/openswan/ipsec.d/crls'
Jul 3 06:04:34 gw pluto[28470]: added connection description "My-Netscreen"
Jul 3 06:04:35 gw pluto[28470]: listening for IKE messages Jul 3 06:04:35
gw pluto[28470]: adding interface tun1/tun1 192.168.150.129:500 Jul 3
06:04:35 gw pluto[28470]: adding interface tun0/tun0 192.168.150.1:500 Jul
3 06:04:35 gw pluto[28470]: adding interface eth1/eth1 192.168.57.37:500 Jul
3 06:04:35 gw pluto[28470]: adding interface eth0/eth0 84.14.XX.XX:500 Jul
3 06:04:35 gw pluto[28470]: adding interface lo/lo 127.0.0.1:500 Jul 3
06:04:35 gw pluto[28470]: adding interface lo/lo ::1:500 Jul 3 06:04:35 gw
pluto[28470]: loading secrets from "/etc/openswan/ipsec.secrets"
Jul 3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: initiating Main Mode Jul
3 06:06:56 gw pluto[29062]: "My-Netscreen" #1: ignoring unknown Vendor ID
payload [47d2b126bfcd83489760e2cf8c5d4d5a03497c150000000300000500]
Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: ignoring Vendor ID
payload [HeartBeat Notify 386b0100] Jul 3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2 Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1:
STATE_MAIN_I2: sent MI2, expecting MR2 Jul 3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: I did not send a certificate because I do not have one.
Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3 Jul 3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jul 3 06:06:57 gw
pluto[29062]: "My-Netscreen" #1: Main mode peer ID is
ID_IPV4_ADDR: '194.98.XX.XX'
Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4 Jul 3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} Jul 3 06:06:57 gw
pluto[29062]: "My-Netscreen" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Jul 3 06:06:57 gw pluto[29062]:
"My-Netscreen" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jul 3 06:06:57 gw pluto[29062]: "My-Netscreen" #1: received and ignored
informational message
i don't understand the problems,
thanks for your help
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
More information about the Users
mailing list