ScreenOS Firewalls (NOT SRX)
Reply
Contributor
anabiosis
Posts: 16
Registered: ‎12-22-2009
0

VPN Share-limit issues

I am having an issue with VPN connectivity to one of my SSG's. The fw's were configured to allow a share-limit of 1 which works however, only 1 user in a group can connect at a time:

 

Current output which works fine - has a limit of 1 user per connection, everyone else gets denied or kicked off

 

myssg-> get config | in share-limit
set user "newvpnclient" ike-id fqdn "newvpnclient.xxxx.com" share-limit 1
set user "xxxx.employees" ike-id fqdn "xxxx.employees" share-limit 20
set user "xxxxremote" ike-id fqdn "myssg.xxxx.com" share-limit 2
set user "vpnclients" ike-id fqdn "vpnclients.xxxx.com" share-limit 1

 

I tried raising the limit but when I do, NO ONE can connect:

 

# diff xxxx-original-middletown-fw.txt xxxx-post-vpn-change.txt
210c210
< set user "newvpnclient" ike-id fqdn "newvpnclient.xxxx.com" share-limit 1
---
> set user "newvpnclient" ike-id fqdn "newvpnclient.xxxx.com" share-limit 20

 

First config works fine using: share-limit 1 Second config blocks all I tried running a debug but don't see any output to determine what is going on.

 

myssg-> get system | in ver
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.1.0r2.0, Type: Firewall+VPN

myssg-> get config | in newvpnclient
set user "newvpnclient" uid 17
set user "newvpnclient" ike-id fqdn "newvpnclient.xxxx.com" share-limit 1
set user "newvpnclient" type ike
set user "newvpnclient" "enable"
set user-group "newvpnclientgroup" id 5
set user-group "newvpnclientgroup" user "xxx1"
set user-group "newvpnclientgroup" user "xxx2"
set user-group "newvpnclientgroup" user "xxx3"
set user-group "newvpnclientgroup" user "xxx4"
set ike gateway "newvpngw" dialup "newvpnclientgroup" Aggr local-id "newvpngw.xxxx.com" outgoing-interface "ethernet0/0" preshare "xxx+++++==" proposal "pre-g2-3des-sha" "pre-g2-3des-md5" "pre-g2-aes128-sha" "pre-g2-aes128-md5"
set vpn "newvpnclienttunnel" gateway "newvpngw" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-aes128-sha" "nopfs-esp-aes128-md5"
set policy id 44 name "newvpnin" from "Untrust" to "Trust" "Dial-Up VPN" "10.20.30.1/24" "ANY" tunnel vpn "newvpnclienttunnel" id 0x22 log


Is there anything I should know about changing the share limit? With it set to 1 right now, if user xxx1 is on, no one else can log in via vpn until that session is closed. I need for all users to be able to get in

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: VPN Share-limit issues

Hi,

 

How are the IP addresses assigned to the dialup users? Are they statically configured on the VPN clients?

Kind regards,
Edouard
Super Contributor
Spud
Posts: 136
Registered: ‎02-08-2008
0

Re: VPN Share-limit issues

[ Edited ]

I suspect it's because you haven't added the IKE user to the user group (as far as I can see from the config above). Where are the users 'xxx1' etc defined (and as what type of user)?

 

Here's the way I generally like to set up Client VPN tunnels - may or may not be suitable for your situation, but it might be worth a try:

 

1. Configure an IKE user (e.g. "Client_VPN_User") with an ID (e.g. a U-FQDN of "clientvpn@ssg.domain.com") and a share-limit of (e.g.) 10.

 

2. Create a group (e.g. "Client_VPN_Grp"), add the IKE user to this group

 

3. Set up user accounts for XAuth authentication (either on the SSG, or using RADIUS)

 

4. Configure the IKE gateway with 'Dialup User Group' set to the group created earlier, and enable XAuth Server. You can either create a group (new one, separate from the IKE group) for the XAuth users, or just permit any.

 

5. The clients can all be configured with the shared IKE ID above. Between Phase 1 and Phase 2, a username and password is required for XAuth (this provides individual authentication).

 

Another option is to use multiple IKE users, but I don't think that's as versatile.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.