Screen OS

I follow to a document (http://kb.juniper.net/kb/documents/public/VPN/ScreenOS_Windows_L2TP_IPSec.pdf) to set up a dialup VPN by L2TP over IPsec. It can establish the connection from a remote computer to the ns25, the remote computer can ping the trusted port of ns25 successfully.  But when the remote computer tries to ping a computer which in trusted side, the computer which in trusted side received the ping request, but the ping echo reply cannot flow back to the remote computer.

Is that something I have to reset?

Any one can help?

Hi,

Are the addresses you have assigned to the dial-up clients a part of the trusted network?

Kind regards,

Edouard

Thanks for your reply. The address is complete different network.

60.60.60.60 (client) 

192.168.1.0 (trusted)

Hi,

Does the trusted computer have an active personal firewall?

Is IP 60.60.60.60 correctly routed to the SSG?

Kind regards,

Edouard

60.60.60.60 can reach trusted side.  The problem is trusted side cannot reply the ICMP request to 60.60.60.60 except the trusted port of NS25. Both computer (remote & internal) also has Windows' firewall with ICMP echo enabled. 

Hi,

You can send echo requests to the trust interface of the FW and get replies. But if echo requests are sent to a trusted host they reach this host but the client gets no replies. For me it is a routing issue on the host. Have you already checked it's routing table using "route print"? If the SSG is not the default gateway for the host and no route for the client IP is configured, the response is sent to another gateway.

Kind regards,

Edouard

Hi Edouard,

The default gateway of the trusted host is the trusted port of the FW.

Hi,

I would suggest running a basic debug. The commands are:

undebug all

clear db

set ffilt dst-ip 192.168.1.x (this is the host IP)

Establisch a VPN connection and try to ping 192.168.1.x. Than:

undebug all

get db stream

unset ffilt 0

Please attach the output from "get db stream".

Kind regards,

Edouard

Hi Edouard,

The attache file is the output of "get db stream".

Regards.

Attachment(s)

CAPTURE.TXT   26 KB 1 version

Hi Arthur,

The flow filter has been configured incorrectly or not configured at all. I see only four packets containig 60.60.60.60 as destination and no packets with this IP as the source. But I can conclude that these are responses and they belong to an established connection ("existing session found.."). They are correctly encrypted and sent to the tunnel. What is starnge is this:

 out encryption tunnel 4000013b gw:218.189.189.113
  no more encapping needed
  send out through normal path.
  flow_ip_send: 0d70:218.189.189.121->203.184.161.56,50 => ethernet3(136) flag 0x0, vlan 0

The GW is .113 but the packet src-IP is .121. Should not they be equal?

Kind regards,

Edouard

Hi Edouard,

113 is the GW of the FW. 121 is one of untrusted port of FW. I capture the output of "get db stream" again.

Hope that is helpful.

Attachment(s)

CAPTURE.TXT   77 KB 1 version

Hi Arthur,

OK, I see.

I am confused about two things:

1. I still see no packets with the source-IP 60.60.60.60. Do you see them while sussesfully pinging the FW trust interface? Have you checked if the VPN policy is configured with the correct destination object (trust network)?

2. You wrote "one of untrusted port". What do you mean?

Kind regards,

Edouard

Hi Edouard,

1. The VPN policy is correct (Dailup VPN > 192.168.1.0/24). I don't see any packet from debug flow when pinging to 192.168.1.6, but I saw the following in the log of the policy. By the way, I just changed the IP pool from 60.60.60.60 to 192.168.203.x for easier to debug.

2. That means we set up 2 untrusted ports for balancing.

Hi!

1. If you can see log entries but nothing appears in the debug output, this means, that the flow filter is configured incorrectly. The debug and snoop are the only tools that enable the capture of the packets that are dropped before a policy is applied or of those, dropped with the default policy. Such packets are not logged but can be captured by debug or snoop.

I would recommend to enable logging on the session start. If you see no session start log entries while pinging an internal host from the client, this might mean that:

a. No packets reach the FW (a client problem).

b. The packets reach the FW but cannot be routed (drop-before-the-policy).

c. No matching policy is found (drop per default policy).

To log the case c. you can configure a global policy with source and destination zones "Global", source and destination objects "Any", service "Any", action "Drop" and logging on the session start.

2. I am even more confused. ScreenOS does not support any kind of load balancing excepting Equal Cost Multipath Routing but it's usability is limited and depends substantially on the surrounding infrastructure.

Kind regards,

Edouard

Hi!

1. I am sure the packet can reach the trusted host, because I monitored the network traffice on the trusted host. I saw the IP 192.168.203.1 sent in the ICMP request. I am think the ICMP reply cannot route back.

2. Yes, you are right. We are using Equal Cost Multipath Routing. Everything is working fine including 2 site to site VPN, 5 dial up VPN, FTP server and email server etc.

Hi Arthur,

The ECMP is most likely the problem. Some ECMP issues are desribed in ScreenOS "Concepts and examples" and KB-articles.

If this already works with dial up VPN, I would recommend not to use L2TP over Ipsec. Otherwise you will invest a lot of time in the investigation with no guarantee of success.

Kind regards,

Edouard

Hi Edouard,

Unfortunately, Netscreen Remote does not support Windows 7. The official answer from Juniper said use L2TP over IPsec by built-in function of Windows 7. We have some client is using Windows 7.

Hi Arthur,

Sorry, I mean a third party Ipsec VPN Client. Netscreen Remote is phased out and probably not supported any more. This might be NCP: 

KB17266 - NCP Secure Client – Juniper Edition (IPsec client) FAQ

or Shrew Soft VPN Client:

www.shrew.net

I've heard that people are very satisfied with both clients.

Kind regards,

Edouard

Hi Edouard,

Thanks for your information. I had tried both software but not sucessfully to set up VPN. Do you know where I can get the example for setup VPN by either software with Netscreen FW.

Hi Arthur,

The KB17266 contains a couple of usefull links for NCP. The site http://www.shrew.net/support contains sample configs for various FWs, including SSG.

Kind regards,

Edouard

Hi Edouard,

The VPN client from Shrew seems fine. NCP is more difficult to setup. However, I can use VPN client from Shrew to setup VPN now.

Thank you very much.