Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Gre over IPSEC with MIP

    Posted 06-16-2010 01:53

    Hi all,

     

    I have to create gre over IPSEC on ns5gt with screeos 5.4, my customer's partner send me configuration example, but it is for cisco.

    Now I want to implement it on ns5gt:

    On my router trust interface I have IP 192.168.x.x, but in this vpn I have to use 10.146.45.0/24

     

    All parameters and my configuration are below:

     

    I put IP 10.146.x.x on tunnel .2 interface with MIP:

     

     

    set interface "tunnel.2" zone "VPN"
    set interface tunnel.2 ip 10.146.45.1/24
    set interface tunnel.2 tunnel encap gre
    set interface tunnel.2 tunnel local-if loopback.1 dst-ip 10.146.254.1
    set interface "tunnel.2" mip 10.146.45.1 host 192.168.248.1 netmask 255.255.255.248 vr "trust-vr"

     

     

    IKE paremeters

    • 3DES for key encryption
    • a hash algorithm of MD5 for data integrity
    • Diffie-Hellman group 1
    • An SA lifetime of 86,400 seconds with no volume limit
    • aggressive mode turned off

     

     

    set ike gateway "VPN-GW" address 5.5.5.5 Main outgoing-interface "untrust" preshare "xxx" proposal "pre-g1-3des-md5"

     

    • ESP-3DES for encryption and data integrity

    • a hash algorithm of ESP-MD5 for data integrity

    • no compression method

    • a lifetime of 3600 seconds with a volume limit of 4,608,000 kilobytes

     

     

    set vpn "VPN2" gateway "VPN-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
    set vpn "VPN2" id 11 bind interface tunnel.2
    set vpn "VPN2" proxy-id local-ip 10.146.45.0/24 remote-ip 10.132.19.0/24 "ANY"

     

     

    I create route for this VPN:

     

     

    set route 10.132.19.0/24 interface tunnel.2 preference 20

     

     

    And now follows difficult part for me, where I stuck :

     

    GRE Tunnel1 Address: 10.146.1.142

    GRE Tunnel2 Address: 10.146.1.141

    The RP IP: 10.132.19.14

     

    tunnel Source IP: 10.146.0.45 - I put this IP address on loopback interface and assign it to tunnel.2 int

     

    tunnel dest IP: 10.146.254.1   -

    Configure ip pim sparse-mode and multicast-routing in your configurations

     

    ip route 10.135.70.0 255.255.255.0 (ip address of corporate internet router)

    ip route 10.135.71.0 255.255.255.0 (ip address of corporate internet router)

     

    access-list 100 permit ip 10.146.45.0 0.0.0.255 10.135.70.0 0.0.0.255

    access-list 100 permit ip 10.146.45.0 0.0.0.255 10.135.71.0 0.0.0.255

     

    Can you give me some advice or documentation, where I can finish this config.

     

    Now in events I can see:

     

     

    Phase 2: No policy exists for the proxy ID received: local ID (<10.146.0.45>/<255.255.255.255>, <47>, <0>) remote ID (<10.146.254.1>/<255.255.255.255>, <47>, <0>).

     

     

    Thanks!

     

     

     



  • 2.  RE: Gre over IPSEC with MIP

    Posted 06-16-2010 03:28

    Hi!

     

    Knowledge base ID KB6126 might be a good starting point. It contains further links inside.

     

    But I see another problem - the proxy IDs mismatch. Try to configure the ACL 100 on Cisco with a normal mask (not inverse one).

     

    Kind regards,

    Edouard



  • 3.  RE: Gre over IPSEC with MIP

    Posted 06-16-2010 04:26

    Hi Edouard,

     

    I dont have access to customer's partners cisco router, they send me only configuration example, which I can implement in ns5gt.

     

    I already read KB6126, that's why I know that this config is possible to do.

    But my configuration is little different + I have to use loopback int - as I understand

    Thanks for the information.

     

    I have created policy, but without success

     

    set policy id 16 from "Trust" to "vpn"  "Any" "Any" "ANY" permit log 
set policy id 15 from "vpn" to "Trust"  "Any" "Any" "ANY" permit log

     

     

    Thanks!



  • 4.  RE: Gre over IPSEC with MIP

    Posted 06-16-2010 05:02

    Hi,

     

    You cannot start a VPN tunnel between SSG and Cisco if Proxy IDs mismatch. 

    If the partner is not flexible and does not want to customize the Cisco try to re-configure the Proxy-IDs this way: local ID 10.146.0.45/32, remote ID 10.146.254.1/32. Hopefully Cisco will no be dropping the packets with 10.146.0.xxx-th IPs because they are allowed by Cisco's ACL. If you get a reasonable output with "get sa", then  you can procced with GRE.

     

    Kind regards,

    Edouard



  • 5.  RE: Gre over IPSEC with MIP

    Posted 06-16-2010 06:07

    Hi,

     

    I changed proxy ID:

     

     

    set vpn "VPN2" proxy-id local-ip 10.146.0.45/32 remote-ip 10.146.254.1/32 "ANY"

     

     

    but without success:

     

     

    Phase 2: No policy exists for the proxy ID received: local ID (<10.146.0.45>/<255.255.255.255>, <47>, <0>) remote ID (<10.146.254.1>/<255.255.255.255>, <47>, <0>).

    As I understand Proxu ID in cisco have to be as in my first post - correct?

    In first step I have to establish ipsec and after that gre tunnel?

     

    Thanks!

     



  • 6.  RE: Gre over IPSEC with MIP

    Posted 06-16-2010 23:53

    Hi!

     

    The second variant of the Proxy-ID is correct (nearly). This is what Cisco sends during the phase two. What I overlooked is <47>. Please try this:

     

    set vpn "VPN2" proxy-id local-ip 10.146.0.45/32 remote-ip 10.146.254.1/32 GRE

     

    GRE is IP protocol number 47. Apparently Ipsec on the Cisco is configured with this protocol only (not "Any").

     

    Kind regards,

    Edouard



  • 7.  RE: Gre over IPSEC with MIP

    Posted 06-16-2010 23:59

    Hi Edouard,

     

    yes, thats help with IPSEC tunnel 🙂 Thanks!

     

    As I understand, now I have to create gre tunnel - correct?

     

     

     



  • 8.  RE: Gre over IPSEC with MIP

    Posted 06-17-2010 01:00

    Hi!

     

    I assume that you have got it already :smileyhappy: . As I understand you are going to transport multicast through the tunnel. It would be nice to avoid using of the PIM protocol. ScreenOS supports IGMP Proxy functionality. You might configure the tun.2 in IGMP Host mode, the trust interface in IGMP Router mode and create a multicast policy that allows sending of IGMPs in both directions. I have never tried this with GRE&Third party device. But it works fine with SSGs and VPN. I could transport the multicast over a chain of SSGs and ipsec tunnels, using IGMP Proxy only (no PIM!).

    I would recommend to read the ScreenOS C&E, Routing, Chapters 8 and 9.

     

    Kind regards,

    Edouard



  • 9.  RE: Gre over IPSEC with MIP

    Posted 06-17-2010 03:20

    Hi,

     

    thanks for your help.

    I will study this chapters.

     

    I have one more question about routes.

    In configuration example for cisco are few routes, which I have to create:

     

    ip route 10.135.70.0 255.255.255.0 (ip address of corporate internet router)
ip route 10.135.71.0 255.255.255.0 (ip address of corporate internet router)
..........

     

     

    Do I create on ns5gt create these routes in this way?

     

     

    set route x.x.x.x/x interface tunnel.2 preference 20

     

     

    Thanks!

     



  • 10.  RE: Gre over IPSEC with MIP
    Best Answer

    Posted 06-17-2010 03:48

    Hi Zigmunds,

     

    Yes, that's correct. You do not need to configure the next hop nor NHTB entries if you have one VPN per tunnel interface.

    I would also recommend to create a second set of routes for the same networks that have a higher metric and Null interface as the route one. These routes will be dropping unencrypted packets if the tunnel interface goes down and it's associated routes become inactive.

     

    Kind regards,

    Edouard



  • 11.  RE: Gre over IPSEC with MIP

    Posted 06-17-2010 04:19

    Hi Edouard,

     

    Thanks for your help!!

     

    Zigmunds