ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Stemoney
Posts: 4
Registered: ‎07-28-2008
0
Accepted Solution

2 Dial up clients originating from 1 ip address

Hi All,

 

Hoping you guys can help..

 

I have a Juniper SSG-140 firewall. I have about 2 dozen clients connecting using the NetScreen-Remote client version 10.7.7

 

The remote gateway type for all is “Dialup user” using shared keys. Each user has their own policy.

 

I have a problem with 2 users who are dialling in from another company, (through an unknown firewall) When there was one users there was no problem connecting. Now that a second user is at that site he cannot get a connection he is getting the following error on his client:

 

7-25: 16:15:27.859 My Connections\Company - Initiating IKE Phase 1 (IP ADDR=80.169.139.110)

 7-25: 16:15:28.078 My Connections\Company - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)

 7-25: 16:15:43.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:15:43.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:15:58.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:15:58.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:16:13.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:16:13.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:16:28.343 My Connections\Company - Exceeded 3 IKE SA negotiation attempts

 

Could it be that both clients are originating from the same IP (the company’s external ip address) ? If so how do I get around this problem?

 

Cheers,

 

Stephen

Recognized Expert Recognized Expert
Recognized Expert
CB
Posts: 159
Registered: ‎05-09-2008
0

Re: 2 Dial up clients originating from 1 ip address

Hi Stephen,

 

like most IPSec clients, you'll need to have the clients approach the termination point with a unique ip.

Reason is source and destination port of UDP 500.

 

I've seen this in the past with cisco clients also , where (on a ns firewall) a mip was needed per user traversing the firewall using a IPSec client.

 

Hope this helps

 

Kind regards

 

Colin

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
Visitor
Stemoney
Posts: 4
Registered: ‎07-28-2008
0

Re: 2 Dial up clients originating from 1 ip address

Hi CB, thanks for your prompt reply.

 

You will have to forgive my limited knowledge on firewalls and clients I’m a jack of all trades master of none!

 

Are you saying that’s its not possible in any client configuration to have 2 clients coming from the same IP address?

 

Cheers,

 

Stephen

Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: 2 Dial up clients originating from 1 ip address

Try to enable NAT-T in PHASE 1. I had to do that with a Cisco 3000 and I'll assume this will work with Juniper. However I'm like you "jack of all trade master at none" and I'm new to Juniper as well.

 

Rick 

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: 2 Dial up clients originating from 1 ip address

hi,

 

u have to enable NAT traversing on SSG. Go to VPN->Autokey Advanced->Edit here check NAT traversal

 

Hope this helps

 

 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Trusted Contributor
stine
Posts: 435
Registered: ‎05-05-2008
0

Re: 2 Dial up clients originating from 1 ip address

I believe you should create a VPN tunnel between the two networks and apply a policy that allows only those two users access to the tunnel, and your network resources.
Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Visitor
Stemoney
Posts: 4
Registered: ‎07-28-2008
0

Re: 2 Dial up clients originating from 1 ip address

Hi Guys,

 

Thanks for that it looks like enabling Nat in VPN > Autokey Advanced >  Gateway > edit

 

Did the trick.

 

Cheers

 

Stephen

Visitor
mfung
Posts: 3
Registered: ‎06-04-2009
0

Re: 2 Dial up clients originating from 1 ip address

I have a question for you, how are you defining a different policy for each user?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.