ScreenOS Firewalls (NOT SRX)
Reply
Contributor
ROL801
Posts: 10
Registered: ‎11-11-2011
0

Build site to site vpn between SSG5 and Linksys WRVS4400N

So far i've configure dial up vpn without any problem..

However. we would like to make it further to other networks using linksys vpn routers.

 

Anyone can provide some ideas ?

 

Thanks

 

 

Distinguished Expert
spuluka
Posts: 2,229
Registered: ‎03-30-2009
0

Re: Build site to site vpn between SSG5 and Linksys WRVS4400N

To connect a Linksys remote site you will use a site to site vpn tunnel and not the dial up vpn.

 

If the linksys site has a dynamic ip address you can sign p for DynDNS.com and use this service to create a DNS entry you can use for the tunnel gateway.  This will be also configured on the Linksys side to keep the entry up to day.

 

For the Juniper side of the tunnel use these instructions.  You will need to find the similar document for the Linksys model.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15074

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
ROL801
Posts: 10
Registered: ‎11-11-2011
0

Re: Build site to site vpn between SSG5 and Linksys WRVS4400N

Thanks,

 

the connect function well with same linksys brand products..

 

however , cant make it work when connection with ssg5

 

settings in wrvs4400n are all ready. also tried similar kb as yours.. but no good.

 

 

Distinguished Expert
spuluka
Posts: 2,229
Registered: ‎03-30-2009
0

Re: Build site to site vpn between SSG5 and Linksys WRVS4400N

You will need to get some log information to see why the tunnel does not come up.  Walk through the steps in kb9221 and see which settings will need to be adjusted for this connection.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB9221

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
ROL801
Posts: 10
Registered: ‎11-11-2011
0

Re: Build site to site vpn between SSG5 and Linksys WRVS4400N

[ Edited ]

Thanks.

 

Tried many things and make the tunnel active & up on both sides. However, still unable to ping across the tunnel

 

Routing in SSG and Policy already define properly. the difficult part now is the WRVS4400N

 

-> get sa
total configured sa: 2
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000001<         0.0.0.0  500 esp:3des/sha1 00000000 expir unlim I/I    45 0
00000001>         0.0.0.0  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000003< 112.120.207.109 4500 esp:3des/sha1 663c8358  3558 unlim A/U    -1 0
00000003> 112.120.207.109 4500 esp:3des/sha1 16360607  3558 unlim A/U    -1 0
->

 

and below events find.. please advise

 

VPN 'VPN for ROL801 Home' from 112.120.207.109 is up.

 

Rejected an IKE packet on ethernet0/0 from 112.120.207.109:500 to 10.254.254.5:500 with cookies f0b62040080c8952 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

Distinguished Expert
spuluka
Posts: 2,229
Registered: ‎03-30-2009
0

Re: Build site to site vpn between SSG5 and Linksys WRVS4400N

Phase 1 packet arrived from an unrecognized peer gateway.

 This message usually means that the gateway address configured in the gateway object of the VPN does not match the remote gateway.

 

But I also notice that you have a private address as one of the two partners.  Is there another nat device between the SSG and the Linksys?  This will normally not work as the gateway connections cannot be on a nat address.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
ROL801
Posts: 10
Registered: ‎11-11-2011
0

Re: Build site to site vpn between SSG5 and Linksys WRVS4400N

[ Edited ]

you can find a private ip address because it's static mapped from a router infront of it.  entire public ip address are route to SSG5 untrust interface for NAT or MIP. This makes me more easier to managment entire network.

 

Finally fix all connection issues after hours of trying and testing. things are working now.

 

sometimes below event appear.. but vpn connection remain active.

 

"Rejected an IKE packet on ethernet0/0 from 112.120.206.248:500 to 10.254.254.5:500 with cookies e126643785f3608f and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway."

 

 

 

basically, all things are correct regarding to previous setup. such as Routing, Policy...

 

3 key points are critial to the entire setup

 

1. in Auto IKE, Advance . VPN monitor , Optimized and Rekey must ticked. otherwise connection will fail

2. in AutoKey Advance, Gateway, Advance, require to put to internet ip address to local ID

3. even dynamic ip using in WRVS4400N, with dyndns configure. in SSG5 gateway setting still require to use "Static IP Address"

 

above 3 things must follow , otherwise connection will drop immediately

 

 

and after this.. a new question to ask.. i can see alerts appear in regular bascis..

i'm require to configure more , or block these ip as well ?

 

"Port scan! From 218.60.129.215:19000 to 113.28.164.213:9722, proto TCP (zone Untrust, int ethernet0/0). Occurred 1 times."

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.