Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Policy for IPsec client with no NATing

    Posted 08-31-2009 11:24

    I have enough public addresses so that my  clients that need to go to a corporate gateway are publicly addressed.  For my old firewall I just allow (bidirectionally) UDP 500 and IP protocol 50 through.

     

    UDP 500 is easy here, but what about IP protocol 50?

     

    I use the custom services dialog to create it and I see in the config file:

     

    set service "IPsec-ESP" protocol 50 src-port 0-65535 dst-port 0-0 

     

    Of course ESP does NOT have ports (I should know, my name is on the RFCs).  Is this right?

     

     



  • 2.  RE: Policy for IPsec client with no NATing

    Posted 08-31-2009 14:08

    From the above description , it looks like the Firewall is a pass thru for VPN traffic.

    IF this is the case , then you can use the predefined services "IKE" and "ESP" to allow  firewall to pass the VPn traffic.

     

    Thanks

    Atif



  • 3.  RE: Policy for IPsec client with no NATing

    Posted 08-31-2009 14:23

    On my SSG5w running firmware 6.0.0r4.0, there is NO ESP predefined service.  Only IKE and NAT-IKE.

     

    And there in is part of my challenge.  I have to create a custom ESP service, it seems.

     

     



  • 4.  RE: Policy for IPsec client with no NATing

    Posted 08-31-2009 14:33

    Yes  you are right there is no predefined service for ESp.

     

    Please use the customer defined by just giving the prot number , no need for the ports.

     

    "set service ESp protocol 50"

     

    Make sure  you should have the IKE service on the policy.

     

    Thanks

    Atif


    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

     



  • 5.  RE: Policy for IPsec client with no NATing

    Posted 08-31-2009 15:02

    So I unset the custom service I had already created by with WebGUI:

     

    set service "IPsec-ESP" protocol 50 src-port 0-65535 dst-port 0-0

     

    with the command:

     

    unset service "IPsec-ESP"

     

    Then I created it, as you recommended, with:

     

    set service "IPsec-ESP" protocol 50

     

    I then went to look at Configuration > Update > Config File and it was again:

     

    set service "IPsec-ESP" protocol 50 src-port 0-65535 dst-port 0-0

     

    So that seems to be what the system is going to do.   I created a service group with this custom service and the predefined service of IKE and have set up a policy using that group.  I am just about ready to do the phase I rollout (tomorrow evening it seems) and this will then be tested.

     



  • 6.  RE: Policy for IPsec client with no NATing
    Best Answer

    Posted 09-01-2009 03:06

    Hi,

     

    This is an old bug, unset this service and from CLI or WebUI make sure you add it like this:

     

    set service "IPsec-ESP" protocol 50 src-port 0-65535 dst-port 0-65535

     

    Make sure that the destination range is not 0-0 but 0-65535.

     

    On WebUI you need to specify the port range also. 

     

    Let me know if it works.

     

    regards,

    /m



  • 7.  RE: Policy for IPsec client with no NATing

    Posted 09-02-2009 08:13

    I started the rollout a bit ago, and this change was needed.  Without it, the Nortel client stated it was connecting to the VPN gateway, but while waiting for the corporate banner, the connection failed.  Once I put this change in place, things worked.

     

    Now I have to see about reporting this bug.....