ScreenOS Firewalls (NOT SRX)
Reply
Visitor
ChingRC
Posts: 7
Registered: ‎06-19-2012
0

VPN between Netscreen and Pix / Cerficate error after upgrading

Dear All,

 

I'm trying to establish Policy-based VPN between SSG 140 and Pix 506E using our static public IP address in the same; both can access Internet but the VPN wouldn't go up. Please help me check. 

 I tried to debug, yesterday i got some information but to day i got nothing from debug crypto isa/ipsec/engine

 Beside, i upgraded Netscreen OS to 6.3., after upgrading, WebUI notice certifcate error - it has been expired . How can i fix or i have to downgrade to original netscreen Version  (6.2) whose cerficate was OK ?

 

Below is my configuration

 

1. PIX configuration:

 PIX506E# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX506E
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_in permit ip any any
access-list temp permit ip any any
access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 203.x.x.a 255.255.255.240
ip address inside 172.16.1.0 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 203.x.x.c 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address nonat
crypto map mymap 10 set peer 203.x.x.b
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 203.x.x.b netmask 255.255.255.240 no-xauth
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9c73b2347ae3e2a4db476b369114a33e

 

 

2. Netscreen configuration

 

SSG140-> get config
Total Config size 5143:
unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nMoKDurCK4LOcpeIYs/E9NJt9+FSmn"
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "bgroup0/0" zone "Trust"
set interface ethernet0/0 ip 192.168.100.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 172.16.10.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 203.x.x.b/28
set interface ethernet0/2 route
set interface ethernet0/2 gateway 203.x.x.c
set interface ethernet0/2 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
unset interface bgroup0/0 manage ping
unset interface bgroup0/0 manage ssh
unset interface bgroup0/0 manage telnet
unset interface bgroup0/0 manage snmp
unset interface bgroup0/0 manage ssl
unset interface bgroup0/0 manage web
set interface vlan1 manage mtrace
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain FEA
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 8.8.8.8 src-interface ethernet0/2
set dns host dns2 8.8.4.4 src-interface ethernet0/2
set dns host dns3 0.0.0.0
set address "Trust" "192.168.100.0/24" 192.168.100.0 255.255.255.0
set address "Untrust" "172.16.1.0/24" 172.16.1.0 255.255.255.0
set address "Untrust" "203.x.x.0/28" 203.x.x.x 255.255.255.240
set crypto-policy
exit
set ike gateway "pix" address 203.x.x.a Main outgoing-interface "ethernet0
/2" preshare "6PXZJ8kENyr/VZsmgzC9ApFfIonrPoR3UQ==" proposal "pre-g2-des-sha"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpn" gateway "pix" no-replay tunnel idletime 100 proposal "nopfs-esp-de
s-sha"
set url protocol websense
exit
set policy id 7 from "Untrust" to "Trust" "172.16.1.0/24" "192.168.100.0/24" "
ANY" permit
set policy id 7
exit
set policy id 6 from "Trust" to "Untrust" "192.168.100.0/24" "172.16.1.0/24" "
ANY" permit
set policy id 6
exit
set policy id 5 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 5
exit
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 3 disable
set policy id 3
exit
set policy id 4 from "Untrust" to "Trust" "Any" "Any" "ANY" permit
set policy id 4
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0185042012000467"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway 203.x.x.c
set route 203.x.x.x/28 interface ethernet0/2 gateway 203.x.x.c
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
SSG140->




 

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: VPN between Netscreen and Pix / Cerficate error after upgrading

Hi,

 

Your SSG configuration contains no VPN policies. The VPN policy should contain the Tunnel action instead of Permit action and also refer to the configured VPN. Unlike Cisco ACLs the configured policies does not start VPN automatically. You can have multiple policies with the similar "interesting" traffic but with different actions. So, if you place a SMB-policy with action Deny before the policy 7, the SMB traffic will be dropped and no VPN will be negotiated till the first non-SMB packet has appeared. A policy with Action Permit will send traffic unencrypted as defined in the routing tables. Configuring this way you can selectively encrypt/drop or send the traffic unencrypted between the same entities.

If you plan to configure and maintain more VPNs in the future I would recommend to switch to the route based VPN right now. It will save you a lot of headaches.

The certificate error is not a severe one. Read KB16739 regarding this.

Kind regards,
Edouard
Visitor
ChingRC
Posts: 7
Registered: ‎06-19-2012
0

Re: VPN between Netscreen and Pix / Cerficate error after upgrading

Dear Edouard,

 

Thanks for your response. Juniper is new to me. I configured SSG basing on Juniper's ScreenOS Reference Guide -VPN. So i missed many things to get it works.  Can i use  that document to do as your guide ? 

Trusted Expert
sarab
Posts: 373
Registered: ‎05-12-2012
0

Re: VPN between Netscreen and Pix / Cerficate error after upgrading

You can also check the following link for additional info on this topic

 

http://kb.juniper.net/KB4147

Visitor
ChingRC
Posts: 7
Registered: ‎06-19-2012
0

Re: VPN between Netscreen and Pix / Cerficate error after upgrading

Dear all,

 

Thanks for your help.

 

By the way i had configured the SSG  access to Internet successfully before and saved the configuration. After that i restore the configuration but it didn't work.

 

Configuration as below:

 

unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nMoKDurCK4LOcpeIYs/E9NJt9+FSmn"
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "bgroup0/0" zone "Trust"
set interface ethernet0/0 ip 192.168.100.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 172.16.1.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 203.x.x.a/28

set interface ethernet0/2 route
set interface ethernet0/2 gateway 203.x.x.b
set interface ethernet0/2 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/2  ip manageable
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
unset interface bgroup0/0 manage ping
unset interface bgroup0/0 manage ssh
unset interface bgroup0/0 manage telnet
unset interface bgroup0/0 manage snmp
unset interface bgroup0/0 manage ssl
unset interface bgroup0/0 manage web
set interface vlan1 manage mtrace
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain FEA
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 8.8.8.8 src-interface ethernet0/2
set dns host dns2 8.8.4.4 src-interface ethernet0/2
set dns host dns3 0.0.0.0
set address "Trust" "192.168.100.0/24" 192.168.100.0 255.255.255.0
set address "Untrust" "203.x.x.x/28" 203.x.x.x  255.255.255.240
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 5 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 5
exit
set policy id 4 from "Untrust" to "Trust" "Any" "Any" "ANY" permit
set policy id 4
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway 203.x.x.b

set route 203.x.x.x/28 interface ethernet0/2 gateway 203.x.x.b

set
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: VPN between Netscreen and Pix / Cerficate error after upgrading

Hi,

 

I suppose that you have a good experience with Cisco. In this case you would rather consider the CLI as a primary configuration/management tool and the GUI as an auxiliary one. I do recommend to use GUI while working with ScreenOS. It is very good structured, intuitive and powerfull. ScreenOS GUI is equally good for a beginner and for an expert. Besides, unlike ASDM, it will never destroy the configuration integrity and force the device to crash.

Have a look on your configuration through the GUI. You will figure out very fast that the new configuration contains no VPN and the access policies are configured with the action Permit. You should configure a VPN and VPN-policies first.

Kind regards,
Edouard
Visitor
ChingRC
Posts: 7
Registered: ‎06-19-2012
0

Re: VPN between Netscreen and Pix / Cerficate error after upgrading

Dear Edouard,

 

Thank your very much for your recommendation. It pointed out i had missed many steps in configuring SSG appliance. Beside CLI of Netscreen is the best method to see how it works when GUI has many options that make a beginer like me confuses in configuring Juniper products.

 

Kind regard,

ChingRC 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.