ScreenOS Firewalls (NOT SRX)
Reply
STM
Visitor
STM
Posts: 8
Registered: ‎04-29-2008
0

Linux to SSG20 ipsec vpn

Howdy,

 

Have been tasked with proving that Juniper SSG device can meet our needs as we move from colo based production environment to cloud hosted based environment. So have to have linux client vpn connect to SSG20 or 320.

 

Am attempting ipsec network to network vpn, using raccoon and not using freeswan or openvpn

 

Currently just trying policy based VPN so don't have to fiddle with xauth. 

 

Getting as far as phase2 negotiations, but those consistently fail, even though client and SSG are both set to use the same protocols. I've worked with juniper tech support to configure the proposals to comply with what has been found to work in the past. I have changed up the protocols (for testing), and it still consistently fails no matter what the settings. 

 

Any recommendations, and/or suggestions. I can provide example config files if anyone has any background in this area. 

 

 

 

Trusted Expert
SSHSSH
Posts: 601
Registered: ‎11-21-2009
0

Re: Linux to SSG20 ipsec vpn

when the VPN  negotiation fails , what do you see at the event logs  on the firewall ?

 

 

STM
Visitor
STM
Posts: 8
Registered: ‎04-29-2008
0

Re: Linux to SSG20 ipsec vpn

2010-04-09 10:44:59infoIKE 173.11.82.196 Phase 2 msg ID 976e1ac3: Negotiations have failed.
2010-04-09 10:44:59infoIKE 173.11.82.196 Phase 2 msg ID 976e1ac3: Responded to the peer's first message.
2010-04-09 10:44:39infoIKE 173.11.82.196 Phase 2 msg ID 976e1ac3: Negotiations have failed.
2010-04-09 10:44:39infoIKE 173.11.82.196 Phase 2 msg ID 976e1ac3: Responded to the peer's first message.
2010-04-09 10:44:38infoIKE 173.11.82.196 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2010-04-09 10:44:38infoIKE 173.11.82.196 phase 1:The symmetric crypto key has been generated successfully.
2010-04-09 10:44:38infoIKE 173.11.82.196 Phase 1: Responder starts AGGRESSIVE mode negotiations.
Trusted Expert
SSHSSH
Posts: 601
Registered: ‎11-21-2009
0

Re: Linux to SSG20 ipsec vpn

 

Can you paste VPN config of both sites ?

 

Can you run the following debug :

 

undebug all

debug ike detail

...now let the vpn negotiates  till it fails

undebug all

get db st  .... get that output

 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.