Screen OS

I'm at my wits end here.  I have ready hundreds of articles and I can't make heads nor tails of what I need to do. 

Objective:

Create a VPN tunnel between my remote laptop using NCP to my corporate environment through the Netscreen 5GT. 

Environment:

NetScreen 5 GT 5.4.0r18.0 (Firewall+VPN) -

Untrust - 71.151.1.2 (Not the real address but for sake of this request that shouldn't matter)

Trust - 10.0.1.x

Laptop:

Windows 7

NCP Secure Client - Juniper Addition Version 9.23 Build 72

I have completed several instructions and all have ended in the same result:  3/3/2011 5:17:51 PM  ERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - 5GT_VPN.

I have tried debug ike detail and connect, yet nothing shows up in the debug.  It would be nice to have a step by step guide with some info surrounding why I'm doing each step.  Admitidly I'm newish to the network world so any guidance is greatly appreciated.

I don't know anything about NCP Secure Client, however, I have tried using the Shrew Soft VPN client and it works find on Windows and Netscreen firewalls.

http://www.shrew.net/

There is a step by step KB article on Skrew's website on setting up the VPN Client and ScreenOS.

If you need the NCP client to work, you should check with NCP.

I took a look at NCP's website and here is a config guide:

https://www.ncp-e.com/fileadmin/pdf/service_support/NCP_QCG_Entry_Client_v3.pdf

Give that a shot.

-Mike

Thank you for your reply Mike.  I'll try this and see if I can get it to work.  I'll let this thread know how it goes.

Thanks again Mike,

-Rich

So it looks like I'm making some progress thanks to your help Mike.  What I have going on now is at least an error:

Rejected an IKE packet on untrust from 75.196.249.217:10952 to 71.151.1.2:500 with cookies 41793ee31084c356 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

Here's my config, pubilc IP and password hash changed to protect the innocent..

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "NetScreen"
set admin password "Removed"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.0.1.1/24
set interface trust nat
set interface untrust ip 75.151.1.1/30
set interface untrust nat
set interface untrust gateway 75.151.1.2
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface trust manage mtrace
set interface untrust manage ssl
set interface untrust manage web
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option dns1 10.0.1.13
set interface trust dhcp server ip 10.0.1.75 to 10.0.1.95
unset interface trust dhcp server config next-server-ip
set flow tcp-mss
unset flow tcp-syn-check
set domain apexavailability.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 75.75.75.75
set dns host dns2 75.76.76.76
set dns host dns3 0.0.0.0
set dns host schedule 06:28
set address "Trust" "10.0.1.0/24" 10.0.1.0 255.255.255.0
set ippool "vpnclient" 10.2.21.1 10.2.21.99
set user "rich.m.miller" uid 2
set user "rich.m.miller" type  xauth
set user "rich.m.miller" password "Removed"
unset user "rich.m.miller" type auth
set user "rich.m.miller" "enable"
set user "vpnclient_ph1id" uid 1
set user "vpnclient_ph1id" ike-id fqdn "client.something.prod" share-limit 1
set user "vpnclient_ph1id" type  ike
set user "vpnclient_ph1id" "enable"
set user-group "vpnclient_group" id 1
set user-group "vpnclient_group" user "vpnclient_ph1id"
set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr outgoing-interface "trust" preshare "Uv06TX1KNkoXUGskNUCZshr01CnENCPRig==" proposal "pre-g2-3des-sha" "rsa-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
set ike gateway "vpnclient_gateway" cert peer-ca all
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike gateway "vpnclient_gateway" dpd interval 30
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "vpnclient"
set xauth default dns1 10.0.1.13
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5"
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "vpnclient_in" from "Untrust" to "Trust"  "Dial-Up VPN" "10.0.1.0/24" "ANY" tunnel vpn "vpnclient_tunnel" id 1 log
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set license-key auto-update
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Thanks again for your help,

-Rich

Hi,

The one issue I see is with the following command:

set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr outgoing-interface "trust" preshare "Uv06TX1KNkoXUGskNUCZshr01CnENCPRig==" proposal "pre-g2-3des-sha" "rsa-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"

The outgoing-interface is set to TRUST.  This should be UNTRUST.  Give that a shot and see if it resolves your phase1 issue.

-Mike

That with a comination of figuring out the NCP client worked!  So I will post on here how I got it to work for other people to walk through.  It's been a pain trying figure this out and I appreciate your help!

I want to thank Shrew Soft Inc. for this information as it was EXTREMELY valuable in helping me get this to work!!

Configuring VPN on NetScreen 5GT

Introduction ¶

This guide provides information that can be used to configure a Juniper SSG or Netscreen device running firmware version 5.4+ to support IPsec VPN client connectivity.

Overview ¶

The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the push configuration method to acquire the following parameters automatically from the gateway.

• IP Address
• IP Netmask
• DNS Servers
• WINS Servers

Gateway Configuration ¶

This example assumes you have knowledge of the Juniper gateway Web configuration interface. For more information, please consult your Juniper product documentation.

Create a Phase1 ID ¶

Create a user that is used to define the phase1 id parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.

Click the New button and define the following parameters.

• User Name = vpnclient_ph1id
• Status = Enabled
• IKE User = Checked
  • Simple Identity = Selected
  • IKE ID Type = AUTO
  • IKE Identity = client.domain.com

Create a Local Key Group ¶

Create a Local Group that can be assigned to an Auto Key Advanced Gateway. Navigate to the following screen using the tree pane on the left hand side of the browser interface.

Click the New button and define the group name as vpnclient_group. Also add the vpnclient_ph1id user object as a group member.

Create an Auto Key Advanced Gateway ¶

Create an auto key advanced gateway to configure the phase1 parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.

Click the New button and define the following parameters.

• Gateway Name = vpnclient_gateway
• Security Level = Custom
• Remote Gateway Type = Dialup User Group
• Group = vpnclient_group
• Preshared Key = mypresharedkey
• Local ID = vpngw.domain.com
• Outgoing interface MUST BE YOUR UNTRUST INTERFACE

Define Advanced Parameters ¶

Click the Advanced button and define the following parameters.

• Security Level - Custom
  • Phase 1 Proposal
    • pre-g2-3des-sha
    • pre-g2-3des-md5
    • pre-g2-aes128-sha
    • pre-g2-aes128-md5
• Mode = Aggressive
• Enable NAT-Traversal = Checked
  • Keepalive Frequency = 20
• Peer Status Detection
  • DPD = Selected
    • Interval = 30
    • Retry = 5

When finished click Return.

Define Xauth Parameters ¶

You will now see your auto key advanced gateway listed. Click non the Xauth button in the Configure column.

Define the following parameters.

• Xauth Server = Selected
  • Allowed Authentication Type = Generic
  • Local Authentication = Selected
    • Allow Any = Selected

When finished click OK.

Create an Auto Key IKE Gateway ¶

Create an auto key IKE gateway to configure the phase2 parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.

Clicking the New button and define the following parameters.

• VPN Name = vpnclient_tunnel
• Security Level = Custom
• Remote Gateway Predefined = vpnclient_gateway

Define Advanced Parameters ¶

Click the Advanced button and define the following parameters.

• Security Level = Custom
  • nopfs-esp-3des-sha
  • nopfs-esp-3des-md5
  • nopfs-esp-aes128-sha
  • nopfs-esp-aes128-md5
• Replay Protection = Checked

When finished click Return.

Create a Client Address Pool ¶

Create a pool of addresses to be assigned to VPN clients. Navigate to the following screen using the tree pane on the left hand side of the browser interface.

Clicking the New button and define an IP Pool. For example, you could define a pool named vpnclient with a start IP address of 10.2.21.1 and and end address of 10.2.21.254.  I have found that you can NOT use your existing internal networks.  SO, for example, if you have a 10.0.1.1 network use a 192.168.x.x network here.

Set Client Configuration Parameters ¶

The client configuration parameters are stored in the global Auto Key Advanced XAuth parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.

Define the following parameters.

• Reserve Private IP for XAuth User - 480 minutes
• Default Authentication Server = Local
• Query Client Settings on Default Server - Unchecked
• CHAP - Unchecked
• IP Pool Name = vpnclient
• DNS Primary Server IP = [ private DNS server address ]
• DNS Secondary Server IP = [ private DNS secondary address ]
• WINS Primary Server IP = [ private WINS server address ]
• WINS Secondary Server IP = [ private WINS secondary address ]

Configure IPsec Policies ¶

The last step for the tunnel configuration is to define policies that allow protected traffic to pass into your private network from the client. Navigate to the following screen using the tree pane on the left hand side of the browser interface.

To create a new IPsec Policy, the from and to zones must be specified. An IPsec VPN Client policy is defined. Select the following zones and click the New button.

• From = Untrust
• To = Trust

Define the following parameters.

• Name = vpnclient_inbound
• Source Address
  • Address Book Entry = Dial-UP VPN
• Destination Address
  • New Address = 10.1.2.0/24
  • I'm not sure how this works so I selected ANY.  I'm sure with some work and better understanding you can adjust this to resources you only want your VPN clients going to. 
• Service = ANY
• Application = None ( means ANY )
• Action = Tunnel
• Tunnel = vpnclient_tunnel [ Auto Key IKE vpn name ]

Create Local User Accounts ¶

Create local user accounts that will be used during Xauth. Navigate to the following screen using the tree pane on the left hand side of the browser interface.

Click the new button and define the following parameters.

• User Name - joe ( the xauth user name )
• Status - Enable
• XAuth User - Checked
  • User Password - **** ( the xauth user password )
  • Confirm Password - **** ( the same user password )

When finished press OK.

Now we have to configure the NCP Secure Juniper Client.  I purchased the client and it seems to work ok.  Not very user friendly nor a lot of information on how to configure the client for Juniper.

Launch NCP Secure Client Application

Select Configuration - Profiles

Click Add/Import

Select Manually Configure Profile and click next.

Enter a name for your vpn profile (i.e. work_vpn) and click next

Under Gateway (Tunnel Endpoint): enter the IP address or fqdn of your Netscreen 5gt VPN

Check Mark Extend Authentication (Xauth)

Under User ID:  enter the user name you setup under Create Local User Accounts in the directions above (i.e. Joe)

Enter the password you configured under Create Local User Accounts in the directions above.

Click Next

Under Exchange Mode:  Select aggressive mode

Under PFS Group: Select none.  Note.  I have tried other variants and they just don't work!

Click Next

Under Pre-Shared Key/Shared Secret and Confirm Sectret: Type in the Preshared Key that you entered in the Create an Auto Key Advanced Gateway from the instructions above.

Under Local Identiry (IKE) type select Fully Qualified Domain Name

Under Local Identiry (IKE) enter the value you entered in IKE identity under the Create a Phase 1 ID in the instructions above (i.e. client.shrew.net)

Click Next

Under IP Address Assignment select IKE Config Mode

Click Next

Click Okay

In the NCP Secure Client application you should see your profile listed.  Click the connection button and you should connect!

Last notes on Troubleshooting the NCP Secure Client VPN with a Netscreen 5GT.

Enable logging, this is SUPER helpful. 

To do this in the webui go to configuration-report settings-log settings.  Under console select all the options.  Just remember to turn them off when you are done troubleshooting.

You cannot connect to vpn in the trust zone the network your NS 5G VPN is connected to.  You have to test from an outside source!

When all else fails debug and google debug errors!

To do this telnet or ssh to your netscreen device.

Enter username

Enter password

enter undebug all (turn off any debugs set, unless you have other ones you want on of course)
debug ike all (turn on debug for ike)
clear db (clear debug buffer)

get db str (shows you whats in the log.  When you connect you will see a ton of information to post to forums.)

(have client initiate request)
undebug all (turn off debugs...do this asap, as the debug buffer is circular and may get overwritten)

When all is good and working type in clear db.

Post configs!  Super helpful for those trying to give you free tech support. 

To do this go to configuration-update-config file.  You can copy and past the results in the forum, just remember to always remove your public IP address and information that could lead to you being hacked!

Last but not least. 

After finding and implementing a solution, spend the time posting the solution!  I have seen thousands of dead posts or posts that say something like, I fixed it, I added a policy!  I know, we get excited and want to test and move on to bigger and better things BUT, just think if all these super smart tech guys took the time to post the information, that would make all our lives much easier.  Thanks Mike, I got rolling and finally figured it out.  But I also took the time to troubleshoot and look for answers, these people are giving you free advice, work on the soluion and when you are at a dead end post the results.

Thanks again Mike!

Glad you figured it out and thanks for posting the additional info.  I'm sure it'll come in handy for someone else.

-Mike

HI,

I solve the issue isung ncp-e ssl vpn client to connect juniper firewall.

i had this error message: " vpn error, gateway not responding, wainting for msg 2"

i just put pfs Group to none

Thanks for this useful information, finally got NCP to work with IPSEC but still having issues when i enable L2TP with Xauth. Has anyone tested this option as well?