ScreenOS Firewalls (NOT SRX)
Reply
Contributor
fbouzemarene
Posts: 35
Registered: ‎03-06-2008
0

vpn passtrough and manual ipsec

Hello,

 

I have an isg2000 nsrp vsd-less cluster active/active ( for supporting ospf) release 6.0r4.

Only one isg2000 have traffic passing to it because of the ospf cost different on the 2 boxes. 

2 appliances are configured with manual ipsec ( no ike) one on each side of the isg2000,

and on the isg2000 i have a rule permitting ESP traffic and other traffic between these 2 manual ipsec appliances.

On the isg2000, i also configured a global policy denying traffic and logging.

When i inspect the log, i see that ESP traffic is dropped by the global policy.

After that, i initiated a debug session and i also see packet not matching the policy permitting ESP and so the global policy dropped the traffic.

 

It seems that ESP packet arriving at the isg2000 are not recognizing as esp for these packets.

 

Moreother, i have many other dynamic (IKE) tunnels traversing the isg 2000 without problem.

 

Only manual ipsec tunnel are dropped......

 

To resolve the issue, i decide to authorize all traffic ( ANY service) between the 2 VPN appliance and now traffic is passing.

 But this rule is only temporary as we have to filter traffic according to the security policy.

 

I check the vpn troubleshooting guide and vpn pass-through is mentionned but it does not help.

 

i need help please.

Contributor
gr33ndata
Posts: 69
Registered: ‎02-02-2008
0

Re: vpn passtrough and manual ipsec

How did you define the ESP Service? Did you create a custom Service with the number 50 in the Protocol Field?
Gr33n Data
JNCIS-FWV, JNCIA-IDP

@gr33ndata

http://gr33ndata.blogspot.com/
Contributor
fbouzemarene
Posts: 35
Registered: ‎03-06-2008
0

Re: vpn passtrough and manual ipsec

No the pre-defined ESP service is used in the rule.
Super Contributor
shashlik
Posts: 70
Registered: ‎02-20-2008
0

Re: vpn passtrough and manual ipsec

Hi fbouzemarene,

 

Our firewalls do not come with predefined ESP service object.

 

In any case, i tried it out with the following service and rule -- ISG correctly passes ESP traffic:

 

set service "ESP" protocol 50 src-port 0-65535 dst-port 0-65535

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ESP" permit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ESP" permit

 

 

Could you check your ESP service object and see if you've opened up all the src and dst ports?

Also, is the firewall doing any NAT?  I don't think our firewalls do any NAT-Traversal for manual ipsec.

 

Regards,

 

Contributor
fbouzemarene
Posts: 35
Registered: ‎03-06-2008
0

Re: vpn passtrough and manual ipsec

Hi Shashlik,

 

Sorry i was mistaking, of course, we configured a custom service "ESP" the way you mentioned it before.

 

It seems your last remark is the answer: on my original rule to let ESP ( and other traffic)  pass the firewall we also have nat src and on the symetric rule we have nat dst configured:

 

original rule (disabled) :

 

set policy id 294 from "access-ggsn" to "access-bbms"  "AGWQTA1" "GROUP_PICO_BTS" "ESP" nat src dip-id 4 permit log
set policy id 294 disable
set policy id 294
set service "FTP"
set service "IKE"
set service "PING"
set service "SCTP"
set service "SRTP"
exit

remplacement rule ( to make things work) :

 

set policy id 279 from "access-ggsn" to "access-bbms"  "AGWQTA1" "GROUP_PICO_BTS" "ANY" nat src dip-id 4 permit log

 

I can't imagine why by letting all traffic passing through this rule ESP traffic ( with nat also configured) is also passing ???

 

thank you for helping.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.