ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Hype
Posts: 2
Registered: ‎03-11-2010
0

SSG5 - IPSec/L2TP Passthrough to a W2k3 server problems

Been searching this forum and Google for quite some time, but can't find what i'm looking for.

 

The case:

 

Got a SSG5 (ScreenOS 6.3) at a client, with behind it a Windows Server 2003, completely up to date.

Untill now, we connected to that network through PPTP VPN, without any problems. Now, because of security issues, they want us to connect through IPSec/L2TP. Been changing the config several times now, but i'm still not able to connect.

I don't want the Netscreen to handle the IPSec traffic, just let it pass the traffic to the server.

Configured RRAS with a preshared key and accepting PAP and CHAP only.

The client doesn't want to use the Netscreen VPN tool, so i'm forced to make it work this way.

 

Created custom services for UDP 500, UDP (tried TCP as well) 1701 and UDP 4500, protocols 50 and 51, put them in VIP's redirecting them to the server and made Policy objects. Below a small part of the config, regarding these ports:

 

set service "CustomPPTP" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "CustomPPTP" + tcp src-port 0-65535 dst-port 1723-1723
set service "L2TP/IPsec" protocol tcp src-port 0-65535 dst-port 1701-1701
set service "L2TP/IPsec ESP/EH" protocol 50 src-port 0-65535 dst-port 0-65535
set service "L2TP/IPsec ESP/EH" + 51 src-port 0-65535 dst-port 0-65535
set service "UDP 500" protocol udp src-port 0-65535 dst-port 500-500
set service "UDP 1701" protocol udp src-port 0-65535 dst-port 1701-1701
set service "UDP 4500" protocol udp src-port 0-65535 dst-port 4500-4500

 

set interface ethernet0/0 vip interface-ip 1701 "L2TP/IPsec" 10.0.0.1 manual
set interface ethernet0/0 vip interface-ip 4500 "UDP 4500" 10.0.0.1 manual
set interface ethernet0/0 vip interface-ip 500 "UDP 500" 10.0.0.1 manual

 

exit

set policy id 12 name "L2TP/IPsec" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "L2TP/IPsec" permit log
set policy id 12
set service "L2TP/IPsec ESP/EH"
set service "UDP 1701"
set service "UDP 4500"
set service "UDP 500"

exit

 

Probably made an error, like not filling in (read: knowing) port numbers for protocols 50 and 51 or something, but i'm kinda stuck now.

So, anyone here who can help me?

New User
butchok
Posts: 1
Registered: ‎08-22-2010
0

Re: SSG5 - IPSec/L2TP Passthrough to a W2k3 server problems

did you manage to get it going? i got same problem.

New User
rich@datarightservices.com
Posts: 1
Registered: ‎03-08-2013
0

Re: SSG5 - IPSec/L2TP Passthrough to a W2k3 server problems

im working on this too did you ever fuigure it out?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.