Screen OS

Hi all!

I know there are many threads about this and many documents; I have read each of them and still I am not able to achieve the simple purpose of communicating two computers, which is quite upsetting =(

I am in an "hypothetical scenario" which is the one shown in the figure I have attached.

I just want to communicate "computer 1" with computer 2. For this, I have followed these papers (http://kb.juniper.net/InfoCenter/index?page=content&id=KB6233," target="_blank" rel="nofollow noopener noreferrer">https://www.shrew.net/support/Howto_Juniper_SSG, http://kb.juniper.net/InfoCenter/index?page=content&id=KB6233, ...), but no success, so I guess I am doing and/or considering something wrong.

I use Shrew soft to connect to the VPN. I can connect to the VPN but then nothing happens. Part of the important configuration in Shrew is the following one:

And after this the configuration of computer 1 is the following:

But i cannot ping neither the interface eth0/1 nor computer 2... Even in the log for the VPN policy, nothing is shown.

The configuration of the Juniper:

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.1.33/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 176.0.0.1/24
set interface ethernet0/1 nat
set interface bgroup0 ip 172.0.0.1/24
set interface bgroup0 nat
set interface "ethernet0/0" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface ethernet0/0 dhcp client enable
set interface ethernet0/1 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/1 dhcp server enable
set interface bgroup0 dhcp server auto
set interface ethernet0/1 dhcp server option lease 1440000 
set interface ethernet0/1 dhcp server option gateway 176.0.0.1 
set interface ethernet0/1 dhcp server option netmask 255.255.255.0 
set interface bgroup0 dhcp server option netmask 255.255.255.0 
set interface bgroup0 dhcp server option dns1 80.58.61.250 
set interface bgroup0 dhcp server option dns2 80.58.61.254 
set interface ethernet0/1 dhcp server ip 176.0.0.2 to 176.0.0.20 
unset interface ethernet0/1 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "176.0.0.0/24" 176.0.0.0 255.255.255.0
set ippool "pool_user" 10.0.0.1 10.0.0.10
set user "user" uid 3
set user "user" type xauth
set user "user" password "KkAAQbdPNikJrysqcOCVtrle9KnDeyXy9Q=="
unset user "user" type auth
set user "user" "enable"
set user "vpn_user" uid 2
set user "vpn_user" ike-id fqdn "user.vpn.com" share-limit 5
set user "vpn_user" type ike
set user "vpn_user" "enable"
set user-group "user_group" id 2
set user-group "user_group" user "vpn_user"
set ike gateway "gateway_vpn" dialup "user_group" Aggr local-id "gateway.vpn.com" outgoing-interface "ethernet0/0" preshare "FI027hmdNCvXtDsV+VCtFwj3NKnaiEMyXQ==" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
unset ike gateway "gateway_vpn" nat-traversal udp-checksum
set ike gateway "gateway_vpn" nat-traversal keepalive-frequency 5
set ike gateway "gateway_vpn" xauth
unset ike gateway "gateway_vpn" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "pool_user"
set vpn "tunel_cliente_vpn" gateway "gateway_vpn" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5" 
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set policy id 2 name "vPN" from "Untrust" to "Trust"  "Dial-Up VPN" "176.0.0.0/24" "ANY" tunnel vpn "tunel_cliente_vpn" id 0x5 
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

If anyone can help or give me a hint I would be really grateful. Thanks in advance.

Hi,

Under 'General', try selecting 'Use a virtual adapter and assigned address'.

If that does not help, collect flow debug:

set ff src-ip 10.0.0.1

set ff dst-ip 10.0.0.1

clear db

debug flow basic

<<<Try to ping 176.0.0.x from the 10.0.01 machine>>>

Press Esc on firewall CLI

set console page 0

get db st

Thanks for your reply Gokul.

I have configured Shrew again and tried debbuging the flow, but nothing appears. I have also tried to see traffic flow under the policy I had configured (doing a ping from 10.0.0.1 to 176.0.0.2), but there is not any entry or record about this, which makes me think the traffic is not even reaching the juniper...

Any other suggestions or hints?

Thanks and kind regards

You are welcome 

Yes, it is possible that the packet is not even reaching the firewall.

Given that your machine is receiving an IP address from the pool, I am pretty sure that the VPN establishes fine. But, it is still worth checking... once you try to connect to the VPN, check the event log (get event) on the firewall. It should say something like 'completed phase-2 negotiations'.

You can also  check 'get sa' - you should see an entry for the PC IP address i.e., 192.168.1.x

Given that this is a completely internal setup, I do not see why VPN packets would not make it to the firewall. It could be an issue on the end machine itself.

If you have wireshark installed on that machine, please collect a packet capture, when trying to send traffic through the VPN and see if traffic leaves the machine.

Thanks Gokul! I have started again following your recommendations and everything works fine now. I will continue building the second part of the network.

Thanks and have a nice day or night!

Glad that I could help.. 

If it is OK, can you please let us know what was wrong with the initial configuration? It might help other users who may get into similar problem..

Hi,

Of course. I think it was a problem with Shrew Soft configuration as I was mixing the two configurations which are explained in the guides of the first post. Finally, I used the one explained here (https://www.shrew.net/support/Howto_Juniper_SSG) and checking that I use  'Use a virtual adapter and assigned address' option.

Continuing with the post I would like to ask one more question:

- ¿Is it possible to access the Internet (google dns server for example) from "computer 1" using the VPN connection? I have tried setting the DNS of the IP Pool to 8.8.8.8 and checking the "Obtain topology Automatically or Tunnel All"; but not success. Do I need a special policy for that?

Thanks!

Yes, it can be done. But, the setup is not straight forward.

You will have a better chance of success with route based VPN than having it policy based. There is a KB article on building a route based Dialup VPN. You can start from here.

Also, I am not sure what  "Obtain topology Automatically or Tunnel All" does on Shrew. I would rather make the 'Remote network resource' to be 0.0.0.0/0 from 176.0.0.0/24.

Goood!! I have setup the route based vpn and I have access to Internet 😃 (I attach the configurations of Juniper and Shrew Soft in case someone is in trouble).

Then, the complete scenario I want to achieve is the one shown in the picture. I have a user (computer one) who wants to access a service in a third party device (computer 2). Due to restrictions, the remote user needs to go through firewall 1 (SSG5-1) before accessing the network where computer 2 is.

There is a VPN between the user and SSG5-1 and another one for the site-to-site route based vpn between SSG5-1 and SSG5-2:

1. 1. In SSG5-1:
      • Two interfaces: “tunnel.1” for the first VPN and “tunnel.2” for the second site-to-site. Both are on eth0/0.
      • Two opened routes: set route 10.0.0.0/24 interface tunnel.1   &&  set route 172.0.0.0.0/24 interface tunnel.2
      • Proxy ID in both 0.0.0.0/0  |  255.255.255.255/32
2. 1. In SSG5-2:
      • One interface: “tunnel.1” for the site-to-site VPN on eth0/0
      • One opened route: set route 176.0.0.0/24 interface tunnel.1
      • Proxy ID= 0.0.0.0/0  |   255.255.255.255/32

Now, at this point, I cannot solve two main points:

• How to redirect the traffic coming from computer 1 and arriving to VPN1, to the site-to-site VPN so it reaches computer 2? Or is it not necessary as due to the connections I can ping directly computer 2 from computer 1?
• In Shrew Soft-> what policy should I place? I guess that 0.0.0.0/0, but I am not sure if that is correct.

If you could give me a hint so I can continue with it 😃

Thanks for your help.

Attachment(s)

-cfg.txt   6 KB 1 version

vpn.txt   1 KB 1 version