ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Bruno_BERTRAND
Posts: 3
Registered: ‎09-24-2008
0

Netscreen 5XP / MS Win XP / Dial-up VPN / Phase 2 : No policy

Hi,

 

Sorry for myenglis, it'snot my native language.

 

I want to configure a Dial-up VPN using Windows XP Client with L2TP over IPSec according to the document provided by netscreen.

 

I completed the setup on the netscreen and on my labtop.

 

I can connect from the internet and pahse 1 & 2 seems to be correct.

But when I look at the netscreen logs, I get the following:

 

2008-09-25 06:36:24 info Retry time-out interval expired. L2TP tunnel removed (peer at aaa.bbb.ccc.ddd, local at www.xxx.yyy.zzz), tunnel ID 7
2008-09-25 06:36:23 info IKE<aaa.bbb.ccc.ddd> Phase 2: No policy exists for the proxy ID received: local ID (<0.0.0.0>/<0.0.0.0>, <0>, <0>) remote ID (<aaa.bbb.ccc.ddd>/<255.255.255.255>, <17>, <1701>).
2008-09-25 06:35:51 info IKE<aaa.bbb.ccc.ddd> Phase 2: No policy exists for the proxy ID received: local ID (<0.0.0.0>/<0.0.0.0>, <0>, <0>) remote ID (<aaa.bbb.ccc.ddd>/<255.255.255.255>, <17>, <1701>).
2008-09-25 06:35:35 info IKE<aaa.bbb.ccc.ddd> Phase 2: No policy exists for the proxy ID received: local ID (<0.0.0.0>/<0.0.0.0>, <0>, <0>) remote ID (<aaa.bbb.ccc.ddd>/<255.255.255.255>, <17>, <1701>).
2008-09-25 06:35:22 info IKE<aaa.bbb.ccc.ddd> Phase 2: No policy exists for the proxy ID received: local ID (<0.0.0.0>/<0.0.0.0>, <0>, <0>) remote ID (<aaa.bbb.ccc.ddd>/<255.255.255.255>, <17>, <1701>).
2008-09-25 06:35:17 notif The system clock was updated from primary NTP server type us.pool.ntp.org with a ms adjustment of -569 ms. Authentication was None. Update mode was Automatic
2008-09-25 06:34:17 info IKE<aaa.bbb.ccc.ddd> Phase 2: No policy exists for the proxy ID received: local ID (<0.0.0.0>/<0.0.0.0>, <0>, <0>) remote ID (<aaa.bbb.ccc.ddd>/<255.255.255.255>, <17>, <1701>).
2008-09-25 06:31:22 info l2tp(www.xxx.yyy.zzz/1701->aaa.bbb.ccc.ddd/1701), user authentication passed. IP address 192.1.20.180 assigned to user.
2008-09-25 06:31:21 info L2TP tunnel WindowsVPN-l2tp created between www.xxx.yyy.zzz:1701 and aaa.bbb.ccc.ddd:1701
2008-09-25 06:31:20 info IKE<aaa.bbb.ccc.ddd> Phase 2 msg ID <46c3a83e>: Completed negotiations with SPI <16a473de>, tunnel ID <32772>, and lifetime <3600> seconds/<250000> KB. 2008-09-25 06:31:20 info IKE<aaa.bbb.ccc.ddd> Phase 2 msg ID <46c3a83e>: Responded to the peer's first message.
2008-09-25 06:31:20 info IKE<aaa.bbb.ccc.ddd> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.
2008-09-25 06:31:20 info IKE<aaa.bbb.ccc.ddd> Phase 1: Completed for user <bertrand.bruno>.
2008-09-25 06:31:18 notif PKI: No revocation check, per config, for cert with subject name Email=bertrand.bruno.01@gmail.com,CN=bertrand.bruno.01,
2008-09-25 06:31:17 info IKE<aaa.bbb.ccc.ddd> Phase 1: Responder starts MAIN mode negotiations.

 

Why the dialup connecion doesn't match my "L2TP_policy" policy.

My netscreen configuration is setup as follows:

 

set ippool "VPN_L2TP_pool" 10.156.0.2 10.156.0.254

set user "bertrand.bruno" uid 3
set user "bertrand.bruno" ike-id asn1-dn wildcard "CN=***********,OU=,O=,L=,ST=,C=,E=***********" share-limit 1
set user "bertrand.bruno" type ike l2tp
set user "bertrand.bruno" password "***********"
unset user "bertrand.bruno" type auth
set user "bertrand.bruno" "enable"
set user-group "VPN PEC Users" id 3
set user-group "VPN PEC Users" user "bertrand.bruno"


set ike gateway "Gateway for VPN" dialup "VPN PEC Users" Main outgoing-interface "untrust"  proposal "rsa-g2-3des-sha" "rsa-g2-des-sha" "rsa-g2-3des-md5" "rsa-g2-des-md5"
set ike gateway "Gateway for VPN" cert my-cert-hash ****************************************
set ike gateway "Gateway for VPN" cert peer-ca-hash ****************************************
unset ike gateway "Gateway for VPN" nat-traversal udp-checksum
set ike gateway "Gateway for VPN" nat-traversal keepalive-frequency 5

set vpn "VPN-IKE-PEC" gateway "Gateway for VPN" no-replay transport idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-des-md5"

set l2tp default dns1 80.10.246.1
set l2tp default dns2 81.253.149.2
set l2tp default ippool "VPN_L2TP_pool"
set l2tp "WindowsVPN-l2tp" id 1 outgoing-interface untrust keepalive 120
set l2tp "WindowsVPN-l2tp" remote-setting ippool "VPN_L2TP_pool"
set l2tp "WindowsVPN-l2tp" auth server "Local" user-group "VPN PEC Users"

set policy id 60 name "L2TP_policy" from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "VPN-IKE-PEC" id 8 l2tp "WindowsVPN-l2tp" log

 

 

Then, after a short while, I get:

"Retry time-out interval expired. L2TP tunnel removed "

 

Can somone help me ?

 

Thanks

 

Contributor
DerMike
Posts: 15
Registered: ‎03-30-2008
0

Re: Netscreen 5XP / MS Win XP / Dial-up VPN / Phase 2 : No policy

Maybe just I typo in your settings. As I am to busy to analyze your config I advise to cross check the setup with my always quoted second guide :smileyhappy:.

 

 

Visitor
Bruno_BERTRAND
Posts: 3
Registered: ‎09-24-2008
0

Re: Netscreen 5XP / MS Win XP / Dial-up VPN / Phase 2 : No policy

Hi,

 

In fact, I also used the quote second guide to setup my configuration.

I checked once again and found no errors.

In the policy, I tried to change the destination adress from 'any' to my internal network.

But there's stil no policy matching : in the error message local ID changed from <0.0.0.0> to <192.1.20.0> (my internal network.

I really don't understand why the policy doesn't match since I used the predefined 'Dial-up' source adress !!!

 

The only thing that may impact is that my ScreenOS is 5.0.0r9.0 and you recommend 5.1.

The problem is that I don't have any support contract to download a new release : my predecessor who installed the firewall a few years ago is no more in the company and did not subscribe to a support contract.

Is the release 5.1 mandatory and how could I process to get the latest release ?

 

Thansk for your help

 

 

 

Visitor
Bruno_BERTRAND
Posts: 3
Registered: ‎09-24-2008
0

Re: Netscreen 5XP / MS Win XP / Dial-up VPN / Phase 2 : No policy

Note : I'm located in France
Contributor
DerMike
Posts: 15
Registered: ‎03-30-2008
0

Re: Netscreen 5XP / MS Win XP / Dial-up VPN / Phase 2 : No policy

In your case the firewall firmware lacks the NAT-T support. It has been implemented as of ScreenOS 5.1 and will not work in lower versions. To prove that everything works correctly you can try establish a connection from a road warriro client that is directly connected to the internet and has been assigned an official IP. In this case there is no need for NAT-T.

 

Juniper firmware policy has to be taken as it is. You can only download it if you have a current support contract. I would advise anyone you gets the firmware through other channels to be very careful what file he wants to flash to his device. My tip would be to obtain a device with the right firmware release through EBAY.

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.