[Openswan Users] Openswan to Juniper Netscreen, the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Paul Wouters
paul at nohats.ca
Sat Nov 23 04:26:59 UTC 2013
On Fri, 22 Nov 2013, Axel Starck wrote:
> Subject: [Openswan Users] Openswan to Juniper Netscreen,
> the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
>
> I am trying to setup a route base VPN to a Juniper Netscreen.
> It is a host to subnet connection, where I realy need to connect to only one host in the peer subnet.
>
> It seems to go for a bit but somehow the tunnel does not get established.
> At some point I get:
> the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
> and thing don't move forward.
That is not a host-subnet proposal. It's an "everything to everything"
tunnel. Likely they mean for you to setup a 0/0 to 0/0 and only "route"
that one subnet in there for that one IP address. It is really a bad way
of configuring things (and basically bypasses IPsec tunnel endpoint
checks)
> conn juniper
> ike=3des-sha1
> esp=3des-sha1
> authby=secret
> keyingtries=0
> left=213.xxx.168.7
> leftsubnet= 192.168.158.0/24
> # leftsubnet= 192.168.158.70/32
> leftnexthop=%defaultroute
> right=91.xxx.165.136
> # rightsubnet=91.xxx.165.136/32
> rightnexthop=%defaultroute
> compress=no
> auto=start
It looks like you should ask them to change their configuration. Tell
them you need a "policy based VPN" and not a "routing based VPN".
Paul
--
Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/
More information about the Users
mailing list