Screen OS

Is it possible to direct connect an SSG 5 and a Checkpoint Safe@office 500 to test a site-to-site vpn?

VPN is setup on both boxes but the untrust interface acting as vpn gateway on SSG 5 will not communicate.

When you directly connect the two vpn endpoints, you will need to put the untrust interfaces into the same subnet so that they can see each other.

Since you don't have any routing in place between the two devices they will need to be layer 2 adjcent to make the connection.

Have assigned ip addresses on same subnet for the endpoints. Using instructions right off juniper.net:

http://kb.juniper.net/kb/documents/public/VPN/ssg5-ckpoint_app_note.pdf

Even following it to the point of assigning 199.1.1.1 to the untrusted interface on the SSG and 199.1.1.2 to the Checkpoint. Since neither one has internet access, it shouldn't matter that they're using public ip's, should it?

What's confusing is that the instructions say to use e0/2 as the untrusted interface, on mine e0/2 is part of broup0 and does not give me an option to manually configure as untrusted interface with a static address, have tried to use e0/0 and e0/1 as untrusted, neither one will enable the vpn to come up after it's configured. 

Have connected the Checkpoint to a DD-Wrt router and looked at connected devices, 199.1.1.2 will show  as connected, do the same thing with the SSG but it never shows as connected. E0/0 and e0/1 both light up when plugged in. 

The SSG was bought used off of Ebay, it had to be reset in order to log in and configure, the only thing that has been configured is the VPN and the interfaces.

Here is config:

ssg5-serial-> get config
Total Config size 4716:
unset key protection enable
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 199.1.1.1/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.5.10/24
set interface ethernet0/1 nat
set interface bgroup0 ip 192.168.2.1/24
set interface bgroup0 nat
set interface ethernet0/1 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/1 manage-ip 192.168.5.1
set interface bgroup0 manage-ip 192.168.2.5
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface bgroup0 manage mtrace
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "local-net" 192.168.2.0 255.255.255.0
set address "Untrust" "remote-net" 192.168.10.0 255.255.255.0
set crypto-policy
exit
set ike gateway "CGW" address 199.1.1.2 Main outgoing-interface "ethernet0/0" preshare "1DcZB0qsNKZhN5sXWwCJM95sgAnVXlKDWA==" sec-level standard
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "CVPN" gateway "CGW" no-replay tunnel idletime 0 sec-level standard
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 from "Trust" to "Untrust" "local-net" "remote-net" "ANY" tunnel vpn "CVPN" id 0x1 pair-policy 3
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust" "remote-net" "local-net" "ANY" tunnel vpn "CVPN" id 0x1 pair-policy 2
set policy id 3
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 199.1.1.2/0 gateway 199.1.1.1
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Even following it to the point of assigning 199.1.1.1 to the untrusted interface on the SSG and 199.1.1.2 to the Checkpoint. Since neither one has internet access, it shouldn't matter that they're using public ip's, should it?

 These would be fine for a lab setup like this.

What's confusing is that the instructions say to use e0/2 as the untrusted interface, on mine e0/2 is part of broup0 and does not give me an option to manually configure as untrusted interface with a static address, have tried to use e0/0 and e0/1 as untrusted, neither one will enable the vpn to come up after it's configured. 

the key concept to get here is that you need two interfaces each assigned to their zone untrust or trust.  They can be any interface on the device as long as the ip addresses you need for the configuration end up in the correct zones.

The bgroup0 that is by default the trust interface zone on the SSG5 has multiple interfaces as you note.  So you have two choices:

1-Simply use bgroup0 as the trust interface and change the ip address information on this interface to match the sample configuration.

 2- remove the interface you want from the bgroup0 configuration and decommission the bgroup0 by removing the zone and ip address. Then configure the interface you removed as your trust interface with the sample configuration ip address.

Was able to get a VPN tunnel up and running between the SSG and Checkpoint, one last problem is that i can't get bi-directional access. Can access computers in trust zone from untrusted but can't access untrusted computers from trusted zone. Can't  ping anything in untrusted zone. Noticed in routing entries on the SSG their is nothing for the subnet of the untrusted zone for 192.168.10.0. Added a route to the subnet and not shows this for routing:

login as: netscreen
netscreen@192.168.2.1's password:
Remote Management Console
ssg5-serial-> get routew
                  ^--------unknown keyword routew
ssg5-serial-> get route

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------                                             ------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent 😧 Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route

IPv4 Dest-Routes for <trust-vr> (9 entries)
--------------------------------------------------------------------------------                                             ------
         ID          IP-Prefix           Interface         Gateway   P Pref    Mtr                                                  Vsys
--------------------------------------------------------------------------------                                             ------
*         6        10.1.1.1/32         eth0/4         0.0.0.0   H    0      0                                                  Root
          2     192.168.3.5/32      eth0/0         0.0.0.0   H    0      0                                                  Root
*         8    192.168.2.5/32      bgroup0     0.0.0.0   H    0      0                                                  Root
          4    192.168.20.1/32    eth0/1         0.0.0.0   H    0      0                                                  Root
          3    192.168.20.0/24    eth0/1         0.0.0.0   C    0      0                                                  Root
          1    192.168.3.0/24      eth0/0         0.0.0.0   C    0      0                                                  Root
*         7    192.168.2.0/24     bgroup0     0.0.0.0   C    0      0                                                  Root
*        18   192.168.10.0/24   n/a             untrust-vr   S   20      1                                             Root
*         5     10.1.1.0/24           eth0/4         0.0.0.0   C    0      0                                                  Root

get route for 192.168.10.0 shows this:

ssg5-serial-> get route ip 192.168.10.1
 Dest for 192.168.10.1
--------------------------------------------------------------------------------------
trust-vr       : => 192.168.10.0/24 (id=18) via (vr: untrust-vr), metric 1
none

This can't be right as I still can't ping anything in 192.168.10.0.

When the route was added in the Webui, it was specified as eth0/4, not sure why it shows up as n/a in the route table with untrust-vr as gateway.

When you create a static route in the web gui, it defaults with the radio button on next hop as "virtual router".

You need to change that option to be "gateway" before submitting the route.

You will need to delete this route and create it again.

Re-entered the route using gateway option, the route is in place but still can't access anything on remote net on checkpoint.

Sorry, didn't realize you had to setup a rule on the Checkpoint to allow traffic through from the VPN, once one was added i can now access in both directions. Thanks for your help.

Glad you have it all working now.