ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Stemoney
Visitor
Stemoney
Posts: 4
Registered: ‎07-28-2008
0
Accepted Solution

2 Dial up clients originating from 1 ip address

Options

‎07-28-2008 02:17 AM

Hi All,

 

Hoping you guys can help..

 

I have a Juniper SSG-140 firewall. I have about 2 dozen clients connecting using the NetScreen-Remote client version 10.7.7

 

The remote gateway type for all is “Dialup user” using shared keys. Each user has their own policy.

 

I have a problem with 2 users who are dialling in from another company, (through an unknown firewall) When there was one users there was no problem connecting. Now that a second user is at that site he cannot get a connection he is getting the following error on his client:

 

7-25: 16:15:27.859 My Connections\Company - Initiating IKE Phase 1 (IP ADDR=80.169.139.110)

 7-25: 16:15:28.078 My Connections\Company - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)

 7-25: 16:15:43.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:15:43.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:15:58.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:15:58.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:16:13.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:16:13.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:16:28.343 My Connections\Company - Exceeded 3 IKE SA negotiation attempts

 

Could it be that both clients are originating from the same IP (the company’s external ip address) ? If so how do I get around this problem?

 

Cheers,

 

Stephen

Message 1 of 8 (15,888 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
CB
Posts: 159
Registered: ‎05-09-2008
0

Re: 2 Dial up clients originating from 1 ip address

Options

‎07-28-2008 02:40 AM

Hi Stephen,

 

like most IPSec clients, you'll need to have the clients approach the termination point with a unique ip.

Reason is source and destination port of UDP 500.

 

I've seen this in the past with cisco clients also , where (on a ns firewall) a mip was needed per user traversing the firewall using a IPSec client.

 

Hope this helps

 

Kind regards

 

Colin

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
Message 2 of 8 (15,884 Views)
 
Reply
Stemoney
Visitor
Stemoney
Posts: 4
Registered: ‎07-28-2008
0

Re: 2 Dial up clients originating from 1 ip address

Options

‎07-28-2008 03:21 AM

Hi CB, thanks for your prompt reply.

 

You will have to forgive my limited knowledge on firewalls and clients I’m a jack of all trades master of none!

 

Are you saying that’s its not possible in any client configuration to have 2 clients coming from the same IP address?

 

Cheers,

 

Stephen

Message 3 of 8 (15,875 Views)
 
Reply
biker
Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: 2 Dial up clients originating from 1 ip address

Options

‎07-28-2008 04:53 AM

Try to enable NAT-T in PHASE 1. I had to do that with a Cisco 3000 and I'll assume this will work with Juniper. However I'm like you "jack of all trade master at none" and I'm new to Juniper as well.

 

Rick 

Message 4 of 8 (15,861 Views)
 
Reply
Trusted Expert
Trusted Expert
Kashif-rana
Posts: 416
Registered: ‎01-29-2008
0

Re: 2 Dial up clients originating from 1 ip address

Options

‎07-28-2008 04:56 AM

hi,

 

u have to enable NAT traversing on SSG. Go to VPN->Autokey Advanced->Edit here check NAT traversal

 

Hope this helps

 

 

Kashif Rana
00971555962393
JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Message 5 of 8 (15,856 Views)
 
Reply
Trusted Contributor
stine
Posts: 400
Registered: ‎05-05-2008
0

Re: 2 Dial up clients originating from 1 ip address

Options

‎07-28-2008 06:34 AM

I believe you should create a VPN tunnel between the two networks and apply a policy that allows only those two users access to the tunnel, and your network resources.
Theodore E Van Iderstine
Datalink Associates Corp.
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL
Message 6 of 8 (15,842 Views)
 
Reply
Stemoney
Visitor
Stemoney
Posts: 4
Registered: ‎07-28-2008
0

Re: 2 Dial up clients originating from 1 ip address

Options

‎07-28-2008 09:50 AM

Hi Guys,

 

Thanks for that it looks like enabling Nat in VPN > Autokey Advanced >  Gateway > edit

 

Did the trick.

 

Cheers

 

Stephen

Message 7 of 8 (15,819 Views)
 
Reply
mfung
Visitor
mfung
Posts: 3
Registered: ‎06-04-2009
0

Re: 2 Dial up clients originating from 1 ip address

Options

‎09-01-2011 03:06 AM

I have a question for you, how are you defining a different policy for each user?

Message 8 of 8 (921 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.