Hi James,

first of all there is no need to make dialup vpn policy bidirectional becasue as in policy based dialup vpn traffic cannot initiate from trust to untrust. So keep policy only from untrust to trust.

Turn off source translation in dialup vpn policy and try again. What version of screen OS u r using???

can u post ur routing table??

Thanks 

turn off the source NAT, in the policy and configure the Proxy ID in AutoKey IKE  , these must match with the values of remote client

Some more info:

We are having difficulty implementing a Netscreen Remote VPN with a new Juniper SSG 520M in a Branch Office. We have an existing SSG-520 in our Datacenter with almost identical config which is working fine.

The config on the Branch Office firewall has been copied from that on the Datacenter so both VPNs are configured identically. The client is a laptop connected via an ADSL router with Netscreen Remote installed and an identity for each VPN/Firewall. Both VPNs connect successfully, the Datacenter VPN works fine, the Branch Office VPN doesn’t.

On the Branch Office VPN when pinging a server on the VPN we can see the traffic in the firewall logs and arriving at the server’s NIC (using wireshark) we can also see the packet leave the server, and a reply is shown in the Firewall log.

The only difference we have found is in the traffic leaving the firewall down the tunnel in the debug logs below.

Data center Firewall: Juniper ScreenOS 5.4.0r1.0

Branch Office Firewall: Juniper ScreenOS 5.4.0r6.0

Debug on return Packets:

Branch Office Firewall

****** 4921596.0: <Trust/ethernet0/0> packet received [60]******
  ipid = 24717(608d), @2e4ae910
  packet passed sanity check.
  ethernet0/0:**BranchOfficeServerIP**/512->**ClientLaptopIP**/11008,1(0/0)<Root>
Not IKE nor NAT-T nor ESP protocol.
  existing session found. sess token 4
  flow got session.
  flow session id 63969
  existing vector list 5-56b1b80.
  skipping pre-frag
  going into tunnel 4000000d.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 0000000d
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
ipsec encrypt done
        put packet(4a23ac0) into flush queue.
        remove packet(4a23ac0) out from flush queue.

**** jump to packet:**BranchOfficeFWPublicIP**->**ClientADSLPublicIP**
  out encryption tunnel 4000000d gw:**BranchOfficeNextHopIP**
  no more encapping needed
  send out through normal path.
  flow_ip_send: ea4b:**BranchOfficeFWPublicIP**->**ClientADSLPublicIP**,50 => ethernet0/2(112) flag
 0x0, vlan 0
  mac 009069f3747e in session
  **** pak processing end.

Datacenter Firewall - this is working correctly

****** 21816786.0: <Trust/ethernet0/0> packet received [60]******
  ipid = 58583(e4d7), @2e60d910
  packet passed sanity check.
  ethernet0/0:**DataCenterServerIP**/512->**ClientLaptopIP**/14848,1(0/0)<Root>
Not IKE nor NAT-T nor ESP protocol.
  existing session found. sess token 4
  flow got session.
  flow session id 57828
  existing vector list 5-672a650.
  skipping pre-frag
  going into tunnel 4000002c.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 0000002c
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
ipsec encrypt done
        put packet(49da9c0) into flush queue.
        remove packet(49da9c0) out from flush queue.

**** jump to packet:**DataCenterFWPublicIP**->**ClientADSLPublicIP**
  out encryption tunnel 4000002c gw:**DataCenterNextHopIP**
  no more encapping needed
 flow_send_vector_, vid = 0, is_layer2_if=0
  **** pak processing end.

The debug output shows that ur return traffic is not passing through tunnel, its passing through physical wan interface. Can u post ur routing table and dialup vpn policies???

Thanks 

Hi,

Routing table and dialup vpn policy attached.

Thank you for looking at this.

Still working on this issue.  Using wireshark to look at packets as they hit devices inside the network.

Packets are travelling Client -> VPN tunnel -> Juniper FW -> host ok, the problem is occuring on the return. 

The return packet travels Host -> Juniper FW -> ISP Router -> Next ISP Router -> Loop.

Here is a message from Wireshark showing the Ping echo reply is timing out:

218.101.61.8     10.51.1.205     ICMP     Time-to-live exceeded (Time to live exceeded in transit)

This Traceroute shows that this is the expected result given a packet to that private IP goes out the internet gateway. 

 Tracing route to 192.168.1.108 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.51.1.4
  2     1 ms    <1 ms    <1 ms  203.167.224.225
  3     *        *        *     Request timed out.
  4     1 ms     1 ms     1 ms  ge-1-0-0-927.ie1.telstraclear.net [218.101.61.8]

  5     *        *        *     Request timed out.
  6     2 ms     1 ms     1 ms  ge-1-0-0-927.ie1.telstraclear.net [218.101.61.8]

  7  ^C

The Packet arrives at the Host with the clients Private IP as its return address.

Taking a look at the packets, and I have compared packets between our working VPN to our Datacenter and the new VPN to our branch office and I can't see any encapsulation or injection indicating that the packet is a VPN packet, so the only indicator the FW has that the packet needs to be routed back down the VPN tunnel is the source address. 

Is there any setting or route that needs to be added to the SSG520 to tell it to route those packets down the VPN tunnel they came from instead of out the www gateway?

It looks to me like the firewall is not keeping track of sessions correctly.  Since the original post we have upgraded to 6.0.0r5a.0 which has not made a difference.

Hi,

You shouldn't need to add any additional information to tell it to route back down the tunnel as it should be part of the session when the packet came through.

Would be good if you could post your config file.

Also you could do a debug flow basic to see if the firewall is seeing it as being part of the session and what it is doing with it.

From the console (you will need to use something like hyper terminal as you will need to capture text:

get ffilter - check to see if you have any filters set already, if you do unset ffilter to clear

set ffilter dst-ip x.x.x.x (replace x's with destination ip you are pinging down the vpn)

set ffilter src-ip x.x.x.x (replace x's with same IP as dst-ip to give return packet)

clear db

debug flow basic

perform ping from ssl box that fails.

undebug all

You will then need to capture the following text from the command

get db str

Regards

Andy

Hi,

Debug and config file are attached.

Thanks,