ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Slarti-42
Posts: 5
Registered: ‎08-23-2009
0

VPN Port Forwarding 500 in conflict with Netscreen?

Hello everyone,
 
I have behind the netscreen an Apple VPN Server and for that I need to forward the port 500 and some other ports.
 
I have configured the policy and when I do on the interface the VIP configuration it tells me that:
"Not supported service: (ip: *untrust IP here*/port:500) is for management of the box"
 
Now I think, that somehow VPN is active on the Netscreen itself and therefore using this port. Any chance that I can turn it off and where please? I couldn't find it.
 
Or am I totally wrong?
 
For any hints I would be happy.
Kind regards.
Slarti
Trusted Contributor
Posts: 54
Registered: ‎08-03-2009

Re: VPN Port Forwarding 500 in conflict with Netscreen?

Port 500 is used for IKE. And as it seems there is no way to turn that service off. You will have to use VIP/MIP/DIP to your server from another external IP, in the case you have more IPs than your firewalls external.

 

Another options is to use, lets say 5000, on the external firewall interface and NAPT with VIP to port 500 on your Apple server. Is that possible? Are you in control of what port the external application/PCs/Servers connect to?

 

//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Visitor
Slarti-42
Posts: 5
Registered: ‎08-23-2009
0

Re: VPN Port Forwarding 500 in conflict with Netscreen?

Thanks for your reply!

 

I want to use my mac laptop and my iPhone connect to the internal server vpn and with those I am not able to change the connecting port and I only have one external IP :smileysad:

 

Why doesn't it let turn of IKE, any idea?

Trusted Contributor
Posts: 54
Registered: ‎08-03-2009

Re: VPN Port Forwarding 500 in conflict with Netscreen?

[ Edited ]

I logged into my own SSG5 looking for ways to change the IKE port or turn it off. But found none. I wouldnt say I am a ScreenOS guru, but I have lots of expåerience with ScreenOS in live production network and to me it make sense if you dont enable/disable or can fiddle with the IKE port. Less for JTAC to troubleshoot when VPN doesnt work :-)'

 

I also checked the CLI for config of IKE and found no settings for IKE. So I am very certain there is nothing todo about it.

Message Edited by darkiesan on 08-26-2009 07:16 PM
//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Trusted Contributor
Posts: 54
Registered: ‎08-03-2009
0

Re: VPN Port Forwarding 500 in conflict with Netscreen?

Dont forget KUDO if you liked my answer :-)
//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Visitor
Slarti-42
Posts: 5
Registered: ‎08-23-2009
0

Re: VPN Port Forwarding 500 in conflict with Netscreen?

Well I don't like your answer, but I like your trying and at least you give me an answer, even I don't like it :smileywink:

 

So cheers and anyone else if you can add something to this question here that would be naturally highly appreciated.

 

Cheers

Slarti

Trusted Contributor
Posts: 54
Registered: ‎08-03-2009
0

Re: VPN Port Forwarding 500 in conflict with Netscreen?

Cheers to that :-)

 

Hoepfully any Guru can jump in, all I could do was to login in on mine SSG5 to see what looked possible :-)

 

//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008
0

Re: VPN Port Forwarding 500 in conflict with Netscreen?

 

Apple uses proprietary Cisco IPSec protocol. Check http://kb.juniper.net/KB9923 for more info.

New User
Foojee
Posts: 1
Registered: ‎10-10-2010
0

Re: VPN Port Forwarding 500 in conflict with Netscreen?

This is unfortunate, Slarti.

 

I too am managing an Xserve with 10 clients and would like the Xserve to host my VPN service rather than the SSG5.

 

The primary reason is I don't want to have to purchase additional VPN licenses from Juniper when Snow Leopard Server has unlimited licenses. This particular company is growing and should be at 30 employees by the end of 2011.

 

Have you since discovered a way to do this?

 

Thank you!

lucas

Contributor
Farhan Ali
Posts: 11
Registered: ‎09-23-2011
0

Re: VPN Port Forwarding 500 in conflict with Netscreen?

Hi Guys,

 

Unfortunately the answer to this question is NO,

There is no way we can achieve this. The reason is that firewall itself is a vpn compatible box and if any packet is coming to firewall interface ip (mip, vip anything) as destination port 500.  The firewall will treat it as its own traffic and will try to negotiate the vpn. And its by design since juniper firewall are vpn compatible so always port 500 will be treated as "someone is trying to create a vpn with me"

 

The only way to avoid it is to use another ip other than interface.

 

Thanks

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.