ScreenOS Firewalls (NOT SRX)
Reply
New User
Networkguru32
Posts: 3
Registered: ‎06-05-2008
0

Cisco VPN client and SSG550

I am trying to configure the SSG 550 to accept a VPN connection from a Cisco VPN client using a dynamic IP address.  I have tried several different configurations on the SSG, but keep getting the error unknown peer from the SSG.  It appears that the SSG is showing the peer based on the source IP.  Has anyone managed to get the Cisco VPN client to work with the SSG?  Please let me know.

 

Thanks,

Jack.

Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: Cisco VPN client and SSG550

Hi,

 

I m sorry but the Cisco Ipsec client is not supported with SSG device.

You have to use the Netscreen Remote Client for a client to Site VPN. 

New User
Networkguru32
Posts: 3
Registered: ‎06-05-2008
0

Re: Cisco VPN client and SSG550

I am one of those wierdos that wants to know why the Cisco VPN client won't work with the Netscreen.  I think standards are very important in the industry, and IPSec should be a standard.  Do you happen to know why the Cisco VPN client is not supported by the SSG550?  What part of the IPSec protocol does Cisco/Juniper not adhere to or support?  I have done sniffer traces from my Cisco VPN client and see where the group name is being passed to the Juniper from the Cisco client, however, the Juniper seems to be insistent on using the source IP for identification.  I keep getting the error in the Juniper logs of unknown VPN client <IP Address>.  Any ideas?

 

Thanks,

The Guru

Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: Cisco VPN client and SSG550

Hi,

 

The Netscreen Client is very standardt aware : I mean you can specify any parameters of IPSEC protocol ( encryption level/algo , PSK , proxy id ...) i don t think it the same with the cisco one  (Correct me if i m false ) : You only specify login and password and then the client get all the other parameters from the gateway : That s why i thing it does not work  

 

So Cisco and Juniper   ipsec Negotiation are a bit differents ( in a Client to Site scenario ) even if they use the same protocol : IPSEC.

New User
Networkguru32
Posts: 3
Registered: ‎06-05-2008
0

Re: Cisco VPN client and SSG550

I know that the Netscreen client and the Cisco Client don't play well together on the same computer, so I can understand this issue.  I do need to configure the SSG to support VPNs from dynamic IP addresses (most connections will be coming from cable/DSL users).  Do you have any information on how to configure the SSG for VPNs from dynamic IP addresses?

Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: Cisco VPN client and SSG550

Yes :

 

Here is an example with a site to site connection :

http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c19038cc

 

In a client to site case, you must use the "Dialup VPN" object "255.255.255.255/32" as your source. Here is an example :

http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=02520308dcd5d010908cb3e2e007ea4

 

 

 

 

 

kal
Visitor
kal
Posts: 7
Registered: ‎02-02-2012
0

Re: Cisco VPN client and SSG550

The thread is really old, but I believe it might be possible.

But you have to use certificates to get this done.

 

I believe junos/netscreen sends IP as groupname?

Using certs lets you complete phase1 without that mismatch.

 

I havent gotten this working, but I wont to try this out myself.  Will post back if I have success.

(btw this is why shrewsoft client works with cisco or juniper because its flexible in what negotiation you send to server)

 

 

Super Contributor
Spud
Posts: 136
Registered: ‎02-08-2008
0

Re: Cisco VPN client and SSG550

If there's an option in the Cisco client to send an FQDN or U-FQDN (User fully-qualified domain name; same format as an email address) as the local IKE ID, then you should be able to connect without a certificate. I've used this method to connect using Shrew and IPSecuritas clients.

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Cisco VPN client and SSG550

Hi,

 

Cisco VPN client will not work with the SSG. After the certificate authentication has completed the client sends a vendor specific parameter and drops the IKE negotiaition because the remote GW is not a Cisco one...

Kind regards,
Edouard
NCP
Contributor
NCP
Posts: 15
Registered: ‎05-03-2011
0

Re: Cisco VPN client and SSG550

Use the NCP Client. It is the best in the industry and it works - fast and reliable.

 

http://www.ncp-e.com

 

There are two IPsec clients. The Universal Client which will work against any IPsec VPN gateway and the Juniper Edition client which is cheaper but only will work against Juniper gateways.

 

The Configuration Guides provide details on how to configure it all:

http://www.ncp-e.com/en/support/library/config-guides.html

 

Kind regards,

Rainer

Best Regards,
Rainer Enders
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.