08-26-2009 08:40 AM
I have behind the netscreen an Apple VPN Server and for that I need to forward the port 500 and some other ports.
I have configured the policy and when I do on the interface the VIP configuration it tells me that:
"Not supported service: (ip: *untrust IP here*/port:500) is for management of the box"
Now I think, that somehow VPN is active on the Netscreen itself and therefore using this port. Any chance that I can turn it off and where please? I couldn't find it.
Or am I totally wrong?
For any hints I would be happy.
08-26-2009 09:49 AM
Port 500 is used for IKE. And as it seems there is no way to turn that service off. You will have to use VIP/MIP/DIP to your server from another external IP, in the case you have more IPs than your firewalls external.
Another options is to use, lets say 5000, on the external firewall interface and NAPT with VIP to port 500 on your Apple server. Is that possible? Are you in control of what port the external application/PCs/Servers connect to?
08-26-2009 10:07 AM
Thanks for your reply!
I want to use my mac laptop and my iPhone connect to the internal server vpn and with those I am not able to change the connecting port and I only have one external IP
Why doesn't it let turn of IKE, any idea?
08-26-2009 10:12 AM - edited 08-26-2009 10:16 AM
I logged into my own SSG5 looking for ways to change the IKE port or turn it off. But found none. I wouldnt say I am a ScreenOS guru, but I have lots of expåerience with ScreenOS in live production network and to me it make sense if you dont enable/disable or can fiddle with the IKE port. Less for JTAC to troubleshoot when VPN doesnt work :-)'
I also checked the CLI for config of IKE and found no settings for IKE. So I am very certain there is nothing todo about it.
08-26-2009 10:26 AM
Well I don't like your answer, but I like your trying and at least you give me an answer, even I don't like it
So cheers and anyone else if you can add something to this question here that would be naturally highly appreciated.
08-26-2009 10:29 AM
Cheers to that :-)
Hoepfully any Guru can jump in, all I could do was to login in on mine SSG5 to see what looked possible :-)
10-14-2010 08:32 AM
This is unfortunate, Slarti.
I too am managing an Xserve with 10 clients and would like the Xserve to host my VPN service rather than the SSG5.
The primary reason is I don't want to have to purchase additional VPN licenses from Juniper when Snow Leopard Server has unlimited licenses. This particular company is growing and should be at 30 employees by the end of 2011.
Have you since discovered a way to do this?
04-17-2012 12:22 PM
Unfortunately the answer to this question is NO,
There is no way we can achieve this. The reason is that firewall itself is a vpn compatible box and if any packet is coming to firewall interface ip (mip, vip anything) as destination port 500. The firewall will treat it as its own traffic and will try to negotiate the vpn. And its by design since juniper firewall are vpn compatible so always port 500 will be treated as "someone is trying to create a vpn with me"
The only way to avoid it is to use another ip other than interface.