ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 179
Registered: ‎11-12-2007
0 Kudos
Accepted Solution

Questions About Remote VPN

can you please help me with these issues :

1. whatever i configure identity on the firewall.. the remote user can login with any name !! why is that ?

2. how can i use cisco vpn client and juniper at the same pc ?

3. can the remote user change the password remotely ?
Tariq Morad
Distinguished Expert
Posts: 755
Registered: ‎11-06-2007
0 Kudos

Re: Questions About Remote VPN

More information is needed to help answer your questions.  See below...
 
"1. whatever i configure identity on the firewall.. the remote user can login with any name !! why is that ?"
 
Not sure what you mean here. Could you please elaborate? What exactly is configured on the firewall and what is configured on the client?

2. how can i use cisco vpn client and juniper at the same pc ?
 
You may run into an issue if the Cisco VPN client also uses IPSec which I believe does. The reason is you will likely have a conflict as both software will attempt to control Windows IKE feature.

3. can the remote user change the password remotely ?
 
Which password? How are users authenticating now? Are you referring to xauth authentication? If so what auth method is being used on your firewall side (i.e. Radius, local user, SecurID, etc.)?
Contributor
Posts: 179
Registered: ‎11-12-2007
0 Kudos

Re: Questions About Remote VPN

thank you rkim for taking care of this,

well..

1. for example i use tariq@tariq.com as the simple identity, on the remote netscreen.. if i entered sako@sako.com i still can login with the user tariq.. !!!

2. yes the both are using ipsec service, is there anyway to let them both work on the same pc !!?

3. its xauth and locally, can the user change it ?

thanks a lot for your time.
Tariq Morad
Distinguished Expert
Posts: 755
Registered: ‎11-06-2007
0 Kudos

Re: Questions About Remote VPN

See my responses below:
 
"1. for example i use tariq@tariq.com as the simple identity, on the remote netscreen.. if i entered sako@sako.com i still can login with the user tariq.. !!!"
 
How is the IKE gateway configured on the Firewall? Is it configured with IP address or as a dynamic user? If by IP address then it would not matter what email you send for IKE user ID. If the public IP address of the client matches the IP address configured on the Firewall then it uses the IP to identify IKE user and not u-FQDN.
 
"2. yes the both are using ipsec service, is there anyway to let them both work on the same pc !!?"
 
Not likely both software can co-exist on the same machine. The two software can conflict with each other on the PC causing performance issues and unpredictable behavior in the best case and blue screens in the worst case. The NS-Remote Installation Guide specifically states to uninstall any other vendor VPN client apps.
 
"3. its xauth and locally, can the user change it ?"
 
Local xauth users and passwords cannot be changed by the user. This can only be changed by a Firewall administrator logged into the Firewall via CLI or Web. This may be possible if xauth was via Radius with an Active Directory on the back end. But with local users, this is not possible.
Contributor
Posts: 179
Registered: ‎11-12-2007
0 Kudos

Re: Questions About Remote VPN

the vpn is through user not IP.. i tested the problem on another firewall and it didnt appear !! it seems that OS of the firewall should be upgraded.. cause its 5.0.. what do you think !!
Tariq Morad
Distinguished Expert
Posts: 755
Registered: ‎11-06-2007
0 Kudos

Re: Questions About Remote VPN

Exactly what hardware platform and ScreenOS version are you currently running?
Contributor
Posts: 179
Registered: ‎11-12-2007
0 Kudos

Re: Questions About Remote VPN

well.. it is ISG1000.. and screen os is 5.0 i cant remember the rest. so you think its os bug !!
Tariq Morad
Distinguished Expert
Posts: 755
Registered: ‎11-06-2007
0 Kudos

Re: Questions About Remote VPN

5.0 is old code and no longer under engineering support. But nevertheless the functionality of which you speak is pretty basic and should still work. Could you post your relevant VPN configs?
Contributor
Posts: 179
Registered: ‎11-12-2007
0 Kudos

Re: Questions About Remote VPN

Dear rkim, i attached to you the vpn configuration, thank you so much for the great support.
Tariq Morad
Distinguished Expert
Posts: 755
Registered: ‎11-06-2007
0 Kudos

Re: Questions About Remote VPN

I don't see a problem with your configs per se. Do you have any other VPNs configured? If so are any of the gateway IP addresses overlapping with your VPN client host public IP? Perhaps you could run "debug ike detail" and capture an instance of your VPN client connection. I suspect that you have other IKE gateways configured and that you are reaching that IKE gateway and not the dynamic host one you posted.
Contributor
Posts: 179
Registered: ‎11-12-2007
0 Kudos

Re: Questions About Remote VPN

hello rkim, well.. first of all.. i asked from the customer to issue the debug then start the remote connection and there is no output at all. clear.. and about the VPNs.. there is another Route Based vpn configured with static gateway. and the dialup one. is there anything else i can do be useful to you to finalize this issue!!
Tariq Morad
Distinguished Expert
Posts: 755
Registered: ‎11-06-2007
0 Kudos

Re: Questions About Remote VPN

"hello rkim, well.. first of all.. i asked from the customer to issue the debug then start the remote connection and there is no output at all."
 
Did you run command "get db stream"? This is required for outputting any debug commands. Debugs do not automatically write to a CLI window. Assuming you ran "debug ike detail" and let the VPN connect, then once it completes run "get db stream" to view the output.
 
BTW, have you tried going through the Juniper Networks VPN troubleshooting flow? This can be very useful for any VPN troubleshooting. To get to the VPN troubleshooting flow, start here: http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm 
Contributor
Posts: 179
Registered: ‎11-12-2007
0 Kudos

Re: Questions About Remote VPN

hello rkim, sorry for being late on you, but i'm still waiting from the customer, he is traveling somewhere so i was unable to get info from him, i will be back to you soon.
Tariq Morad
Highlighted
Visitor
Posts: 8
Registered: ‎12-05-2007
0 Kudos

Re: Questions About Remote VPN

2. how can i use cisco vpn client and juniper at the same pc ?

You can install both Cisco VPN client as well as NS Remote client at the same PC. If you are using Cisco VPN client regularly, just change the startup option of the services called SafeNet IKE Service and SafeNet Monitor Service to MANUAL instead of automatic.

Just note that if you are going to use NS Remote, disable Cisco System VPN service and start the 2 SafeNet services.

Cheers
CT