Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG 140 - Pass L2TP/IpSec VPN to MIP ?

    Posted 04-07-2014 07:14

    I have an L2TP/IPsec VPN server set up in my TRUST zone.  I have created a MIP and a policy for L2TP/IPsec traffic.  

     

    - Clients can connect via L2TP/IPsec if they are inside the TRUST zone, so I know the VPN server configuration is OK.

     

    - Clients can connect to the VPN server's MIP using PPTP, so I know MIP configuration is OK.

     

    - Clients can NOT connect via L2TP/IPsec if they try to connect to the MIP.  It looks like the connection times out.

     

    - Policy exists to allow UNTRUST -> TRUST traffic to VPN Server's MIP for: UDP 1701, UDP 500, UDP 4500, IP protocol 50, IP protocol 51.

     

    - TRUST LAN interface on SSG 140 is set to 'NAT' mode.

     

    UNTRUST WAN interface on SSG 140 is set to 'route' mode.

     

     

    What am I doing wrong here?   I know that NAT breaks IPsec, but I thought a MIP would resolve that.



  • 2.  RE: SSG 140 - Pass L2TP/IpSec VPN to MIP ?

     
    Posted 04-08-2014 04:52

    Do you see this traffic hitting you VPN server or its dropped at firewall level itself ?



  • 3.  RE: SSG 140 - Pass L2TP/IpSec VPN to MIP ?

    Posted 04-08-2014 14:15

    I ran a packet capture on a client while attempting a L2TP/IPsec connection to the MIP.

     

    I see some 'main mode' packets get traded between client/server on port 500, then 10-20 'quick mode' packets go back and forth on port 4500, then all traffic stops and the VPN software throws an error saying the server is not responding.   Seems to me like it's failing to negotiate the connection.

     

    ~~~~

     

    I also turned on tracing on the RAS server while I was doing this.  There was nothing in the RAS logs at all for the connection attempt.

     

    Seems to me that the SSG140 isn't passing the traffic to the MIP correctly.

     

     



  • 4.  RE: SSG 140 - Pass L2TP/IpSec VPN to MIP ?
    Best Answer

    Posted 04-08-2014 18:42

    The mip is still a nat. 

     

    So your ipsec will need to support nat transversal and have that option enabled in the configuration on both sides.

     

    The issue is that the ip addresses are not only in the packet headers but in the payload.  The nat transversal feature lets the pair know that nat is happening so they can deal with the diffierent ip in the payload versus the packet.



  • 5.  RE: SSG 140 - Pass L2TP/IpSec VPN to MIP ?

    Posted 04-09-2014 06:22

    Aha!  I didn't realize MIP is still treated as NAT, but it makes sense now that I think about it.

     

    I'll look at enabling NAT-T on client/server and see how that works.



  • 6.  RE: SSG 140 - Pass L2TP/IpSec VPN to MIP ?

    Posted 04-09-2014 07:42

    Configuring NAT-T on the client and server resolved the issue and I was able to connect OK using the MIP.

     

    Smiley Happy