ScreenOS Firewalls (NOT SRX)
Reply
Contributor
dicappy
Posts: 13
Registered: ‎08-29-2010
0

Can not get the VPN up and SA Active on site 2 site VPN between two SSG320M

Can not get the VPN up and SA Active on site 2 site VPN between two SSG320M

 

Can you believe that same boxes but still VPN does not work

 

Tried Policy based ( read and applied all )

 

Tried Route based ( read and applied all ) what is the problem here ?

 

two sites

 

Local Site

 

HQ = server ip is 10.1.1.100/24

HQ public ip is = 8.8.8.1/27

 

remote site

 

RemOff

 

RO = server ip = 172.16.1.50/16

RO public ip is = 7.7.7.2/29

 

I did it with wizard, I did accoring to the VPN manuals.. somethings missing I guess. please help

 

 

 

Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Can not get the VPN up and SA Active on site 2 site VPN between two SSG320M

Are you looking for an example?  If not, can you share your config?  This will allow the community to see what's wrong.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Distinguished Expert
spuluka
Posts: 2,554
Registered: ‎03-30-2009
0

Re: Can not get the VPN up and SA Active on site 2 site VPN between two SSG320M

As John indicated there is not enough information in your post for us to help.  If you are not comfortable in posting the configurations for us to review your other option is to post the error messages you are getting in the firewall log.  There are a number of configuration steps that have to exactly match on both sides of the tunnel or it won't work.  The messages help narrow down which configuration needs to be adjusted.

 

Check these troubleshooting guides for VPN connections.  And let us know which problem you are experiencing if you can't see the issue yourself.

 

Flow Chart Troubleshooting Guide
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb9221.htm

Question and Answer troubleshooting guide
http://kb.juniper.net/InfoCenter/index?page=content&id=KB9221

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
dicappy
Posts: 13
Registered: ‎08-29-2010
0

Re: Can not get the VPN up and SA Active on site 2 site VPN between two SSG320M

thas what I did.

 

 

Log into SSG320 A through the web interface

Configure your tunnel interface

 

Click Network -> Interfaces
Make sure the dropdown in the top left says Tunnel IF, and click New
I put mine in the Untrust zone because I want all of my VPN traffic to run throug my Untrust->Trust policy
Click unnumbered and select the untrust interface ( this case the untrust interface is what I configured with ip from my isp )
click OK

 

Configure your VPN Gateway

 

Click VPNs -> AutoKey Advanced -> Gateway
click New
Name the gateway "FWB-gw"
I select the custom security level
Enter the public IP address of Firewall B ( this is the public address when I go to internet isnt it? ) as 82.XXX.XXX.146/29
Carefully enter your preshared key
select untrust for your outgoing interface ( I select the zone that I created before for the isp interface )
click advanced
select User defined (custom)
in the first dropdown select pre-g2-aes128-sha
click return at the bottom
click OK at the bottom

 

Create the VPN

 

on the menu on the left select VPNs -> Autokey ike 
click New
name it FWB-vpn
select Custom
leave predefined checked and select your FW-gw in the dropdown
click Advanced
select custom
in the first dropdown, select g2-esp-aes128-sha
turn on replay protection
Bind to tunnel interface, and select your tunnel interface you created in step 2
turn on VPN monitor (this will bring up the VPN right away and keep it up even when there´s no traffic on it)  my case it didnt ...
click Return
click OK

 

add routes to the remote network. I will add a static.

 

menu click Network -> Routing -> Destination
click new
type in the network address behind Firewall B ( this is the private ip address behind the firewall B the One I m tying to reach. isnt it? I used as 172.22.1.XXX/32
Select Gateway

Select your tunnel interface in the dropdown  ( selected tunnel 1 )
( no ip addresses added under the tunnel interface
click ok


Add policy to allow access to/from the remote network. Create an Untrust->Trust policy which allows access from the Network
behind FWB to hosts or the network behind FWB. You probably want to allow Ping at a minimum.

as from FWA trust zone to untrust zone --- > 172.16.1.XXX/32 to 172.22.1.XXX/32

and from FWA untrust zone to trust zone --- > 172.22.1.XXX/32 to 172.16.1.XXX/32

Repeat steps 1-6 on SSG320 B. Substituting SSG320 B´s data.

 

After I did all that

 

SSG320 B 

VPn name  -    FWA-VPN  

SA ID   -  0000000c  

policy id  - -1/-1  

Peer Gw  ip -  82.145.XXX.XXX

TYPE - AutoIKE

SA status -    inactive 

SA link -    inactive     

 

SSG320 A 

VPn name  -    FWB-VPN  

SA ID   -  00000001 

policy id  - -1/-1  

Peer Gw  ip -  82.145.YYY.Y

TYPE - AutoIKE

SA status -    inactive 

SA link -    inactive         

 

 and event logs of both firewall.

 

SSG320 A

 

 IKE 82.145.YYY.Y Phase 1: Retransmission limit has been reached

 

on firewall A thats the only error msg comes up

 

SSG320 B

 

Responder starts MAIN mode negotiations.

 

 IKE 82.145.XXX.XXX Phase 1: Retransmission limit has been reached

 

Added Phase 2 session tasks to the task list.

 

and continues

 

please let me know where is what missing. thnx

Distinguished Expert
spuluka
Posts: 2,554
Registered: ‎03-30-2009
0

Re: Can not get the VPN up and SA Active on site 2 site VPN between two SSG320M

For this message

Responder starts MAIN mode negotiations.

 

 IKE 82.145.XXX.XXX Phase 1: Retransmission limit has been reached

 

See kb9349

http://kb.juniper.net/InfoCenter/index?page=content&id=KB9349

 

Since the site B is going into responder mode then most likely the settings are good on Site A.  The two most common causes of this timeout are:

 

typo on the gateway ip address on the gateway object for site B.

Wrong outgoing interface selected on the Gateway object for site B

 

The Gateway outgoing interface is not a zone selection but an interface choice.  You do want this to be the interface that your internet service is connected to on the firewall.  Unfortunately you cannot edit this attribute after creation in the web interface but you can see the value in the advanced tab to confirm it is correct.

 

Static route

 

You do want to put in a gateway address when you create the static route instead of leaving it blank.  This will be the internal address of the interface on the remote side. 

 

Are you sure you only want /32 addresses for the routes and policy?  This will require a route and policy for each address then once the tunnel is actually up.

 

Monitor

 

Only enable the monitor on one firewall.  Since the monitor causes the firewall to initiate tunnel negociations you don't want both firewalls to start at the same time and keep waiting for each other to become responders.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.