Screen OS

Hi,

Scenario, Netscreen 350 <-> Non Juniper firewall(cisco, watchguard etc) <-> Netscreen 5GT

What ports beside udp 500 is required for a netscreen IPSEC site-site VPN to work with a Non netscreen firewall? Especially if VPN Monitor is turned on and Peer Status Detection -> Hearbeart(Hello, Reconnect) are also turned on?

thanks

Hi,

Are you terminating the VPN on thenon-Cisco device or is it passing through the device and terminated on the 5GT?

In case-1, you dont need to permiit any ports. You need to configure a VPN on the 3-rd party device.

In case-2: UDP-500, UDP-4500 (For NAT-T), IP-50 (for ESP) and IP-51 (AH) should take care of it.

Thanks, it is case 2.

Next thing is, On the Non Juniper device can they use port forwarding or they need to use NAT ?

Both will work. Please make sure you enabled NAT-T on both Firewalls while configuring the VPN...

Thanks, I am surprise you said forwarding will work . I thought port forwarding only forwards one port per destination IP and IPSEC VPN requires 4 ports.

In my understanding, it is not restricted to just 1 port per destination IP. You can add muliple entries with different ports, mapping to same internal IP. For example, when you have one web server in the internal netwerok, you normally map ports 80, 8081, 443 etc., to the same server.

In case of VPN, if you enable NAT-T, it will suffice to forward UDP 500 and 4500.

Regarding this :  I thought port forwarding only forwards one port per destination IP 

Yes, you can have different multiple  ports per single destination IP for port forwarding .  

Hope you did not mean , similar port coming on  one public IP, which is port forwarded to  two differnt private IPs. In this case simple portwarding will not work.

Thanks,

But now I am having issues where the tunnel goes up and down and no traffic is going through the IPSEC tunnel.

screenOS 1 <-> Cisco PIX <-> screenOS 2.

Both screenOS has NAT-T enabled

Connection terminates at both screenOS .

Tried enabling and disabling Monitoring and Optimization.

Cisco PIX is used to route traffic between the 2 screenos gateways.

I think there is something wrong on the cisco PIX. However the customer(cisco PIX) is allowing all traffic. do you know if Cisco PIX require NAT-T enabled as well or something additional. Any clue would help. 

screenOS2(ns5gt) used to be using ADSL1 interface and it was working fine. We swap the ASDL line to use a  fixed ethernet connection with dedicated WAN IP and plugged it into the UNTRUSTED port and modified the phase1 and 2 to use the untrusted port and setup return route.

screenos1 <-> ADSL <-> screenos2  (Works fine)

screenos2 <-> cisco PIX <-> screenos2 - (tunnel unstable and no traffic goes through tunnel)

On both the screenos logs you can see tunnel is UP sometimes, it is like  yoyo UP and DOWN.

Hi,

Any idea if NAT-T kicked in?

You can collect a debug on both ScreenOS firewalls to look at the packets:

on FW-1:

set ff dst-ip <public IP of FW-2>

set ff src-ip <public IP of FW-2>

snoop filter ip dst-ip <public IP of FW-2>

snoop filter ip src-ip <public IP of FW-2>>

clear db

debug flow basic

snoop

**try to send traffic throgh the VPN. Once traffic fails, press 'Esc' to stop the debugs**

set console page 0

get db st

get sa

Simultaneously, collect the same logs from firewall-2 as well. You may have to modify the IP in filters as per NAT-ing setup on PIX.

The debug output will give a fair idea of what is happening to the VPN packets.

Here are the attachments

I am ping from FW1 on 10.128.10.115

10.128.10.115 MIPS to an internal IP on FW2

I can 't ping from FW2 because access is not given to any resources on FW1.

Attachment(s)

FW2.txt   18 KB 1 version

FW1.txt   52 KB 1 version

As far as I know there are no NATing setup on the Cisco PIX. Cisco Pix is just routing traffic between the 2 screenos firewalls.

Hi,

NAT-T is not kicking-in here, SA is established over UDP-500.

Can you confirm if PIX is allowing IP-50 (ESP) between the two firewalls?

I see ESP packets leaving FW-1, but no ESP packet from FW-2 is reaching FW-1.

842040.0: ethernet5/5(o) len=110:00228397bb0d->00090f9d06ac/0800
              FW1.FW1.FW1.FW1 -> FW2.FW2.FW2.FW2/50
              vhl=45, tos=00, id=40865, frag=0000, ttl=64 tlen=96
              esp:spi 293298073

ethernet5/5(o) ---> o here indicates outgoing packet. I dont see an incoming packet on e5/5 for IP-50.

But, FW-2 says it is sending out ESP packets towards FW-1:

flow_ip_send: 5015:FW2.FW2.FW2.FW2->FW1.FW1.FW1.FW1,50 => untrust(96) flag 0x898, vlan 0
  mac 000e0c5a5930 in session
  packet send out to 000e0c5a5930 through untrust

Customer on Cisco PIx site is allowing all traffic which I assume should include esp IP-50. 

As a test is there a way to use IPSEC but not ESP? 

Hi,

---

@smspup987 wrote:

As a test is there a way to use IPSEC but not ESP? 

---

IPSEC is not a single protocol, but a protocol Suite, which includes ESP.

UDP 500 and 4500 are used for negotiating the VPN. In your case, this is going through fine, as the VPN status is UP.

Once VPN is up, actual traffic through VPN is carried by ESP (IP-50) or AH (IP-51). There is one way to move this to UDP-4500, that is by using NAT-T. 

If the firewalls detect a NAT-ing device when negotiating the VPN, they will automatically from UDP500 to 4500 for VPN negotiation. Once the VPN is up, even ESP packets will be encapsulated inside UDP4500.

In the absence of a NAT-ing device, they will stick to UDP 500 and ESP. In your case, VPN is established on UDP-500 as per 'get sa' output, so NAT-T is not kicking in. I am not aware of a way to force NAT-T.

It is working now

On the cisco , had to specifically allow protocol ESP 

access-list blah permit 50 any any
access-list blah permit ip any any

and apply it to the outside interface.

Thanks very much for your assistance.

There you go  Glad I could help...

You can mark this post as 'Solved', which maybe of help to users who run into a similar problem...