ScreenOS Firewalls (NOT SRX)
Reply
Contributor
rgmhtt
Posts: 46
Registered: ‎08-26-2009
0
Accepted Solution

Policy for IPsec client with no NATing

I have enough public addresses so that my  clients that need to go to a corporate gateway are publicly addressed.  For my old firewall I just allow (bidirectionally) UDP 500 and IP protocol 50 through.

 

UDP 500 is easy here, but what about IP protocol 50?

 

I use the custom services dialog to create it and I see in the config file:

 

set service "IPsec-ESP" protocol 50 src-port 0-65535 dst-port 0-0 

 

Of course ESP does NOT have ports (I should know, my name is on the RFCs).  Is this right?

 

 

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: Policy for IPsec client with no NATing

From the above description , it looks like the Firewall is a pass thru for VPN traffic.

IF this is the case , then you can use the predefined services "IKE" and "ESP" to allow  firewall to pass the VPn traffic.

 

Thanks

Atif

Contributor
rgmhtt
Posts: 46
Registered: ‎08-26-2009
0

Re: Policy for IPsec client with no NATing

On my SSG5w running firmware 6.0.0r4.0, there is NO ESP predefined service.  Only IKE and NAT-IKE.

 

And there in is part of my challenge.  I have to create a custom ESP service, it seems.

 

 

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: Policy for IPsec client with no NATing

Yes  you are right there is no predefined service for ESp.

 

Please use the customer defined by just giving the prot number , no need for the ports.

 

"set service ESp protocol 50"

 

Make sure  you should have the IKE service on the policy.

 

Thanks

Atif


If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

 

Contributor
rgmhtt
Posts: 46
Registered: ‎08-26-2009
0

Re: Policy for IPsec client with no NATing

So I unset the custom service I had already created by with WebGUI:

 

set service "IPsec-ESP" protocol 50 src-port 0-65535 dst-port 0-0

 

with the command:

 

unset service "IPsec-ESP"

 

Then I created it, as you recommended, with:

 

set service "IPsec-ESP" protocol 50

 

I then went to look at Configuration > Update > Config File and it was again:

 

set service "IPsec-ESP" protocol 50 src-port 0-65535 dst-port 0-0

 

So that seems to be what the system is going to do.   I created a service group with this custom service and the predefined service of IKE and have set up a policy using that group.  I am just about ready to do the phase I rollout (tomorrow evening it seems) and this will then be tested.

 

Juniper Employee
monkey
Posts: 22
Registered: ‎05-09-2008

Re: Policy for IPsec client with no NATing

Hi,

 

This is an old bug, unset this service and from CLI or WebUI make sure you add it like this:

 

set service "IPsec-ESP" protocol 50 src-port 0-65535 dst-port 0-65535

 

Make sure that the destination range is not 0-0 but 0-65535.

 

On WebUI you need to specify the port range also. 

 

Let me know if it works.

 

regards,

/m

Contributor
rgmhtt
Posts: 46
Registered: ‎08-26-2009
0

Re: Policy for IPsec client with no NATing

I started the rollout a bit ago, and this change was needed.  Without it, the Nortel client stated it was connecting to the VPN gateway, but while waiting for the corporate banner, the connection failed.  Once I put this change in place, things worked.

 

Now I have to see about reporting this bug.....

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.