ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

2 Dial up clients originating from 1 ip address

07.28.08   |  
‎07-28-2008 02:17 AM

Hi All,

 

Hoping you guys can help..

 

I have a Juniper SSG-140 firewall. I have about 2 dozen clients connecting using the NetScreen-Remote client version 10.7.7

 

The remote gateway type for all is “Dialup user” using shared keys. Each user has their own policy.

 

I have a problem with 2 users who are dialling in from another company, (through an unknown firewall) When there was one users there was no problem connecting. Now that a second user is at that site he cannot get a connection he is getting the following error on his client:

 

7-25: 16:15:27.859 My Connections\Company - Initiating IKE Phase 1 (IP ADDR=80.169.139.110)

 7-25: 16:15:28.078 My Connections\Company - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)

 7-25: 16:15:43.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:15:43.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:15:58.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:15:58.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:16:13.343 My Connections\Company - message not received! Retransmitting!

 7-25: 16:16:13.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

 7-25: 16:16:28.343 My Connections\Company - Exceeded 3 IKE SA negotiation attempts

 

Could it be that both clients are originating from the same IP (the company’s external ip address) ? If so how do I get around this problem?

 

Cheers,

 

Stephen

7 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: 2 Dial up clients originating from 1 ip address

07.28.08   |  
‎07-28-2008 02:40 AM

Hi Stephen,

 

like most IPSec clients, you'll need to have the clients approach the termination point with a unique ip.

Reason is source and destination port of UDP 500.

 

I've seen this in the past with cisco clients also , where (on a ns firewall) a mip was needed per user traversing the firewall using a IPSec client.

 

Hope this helps

 

Kind regards

 

Colin

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
ScreenOS Firewalls (NOT SRX)

Re: 2 Dial up clients originating from 1 ip address

07.28.08   |  
‎07-28-2008 03:21 AM

Hi CB, thanks for your prompt reply.

 

You will have to forgive my limited knowledge on firewalls and clients I’m a jack of all trades master of none!

 

Are you saying that’s its not possible in any client configuration to have 2 clients coming from the same IP address?

 

Cheers,

 

Stephen

Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author Stemoney
‎08-26-2015 01:27 AM

Re: 2 Dial up clients originating from 1 ip address

07.28.08   |  
‎07-28-2008 04:53 AM

Try to enable NAT-T in PHASE 1. I had to do that with a Cisco 3000 and I'll assume this will work with Juniper. However I'm like you "jack of all trade master at none" and I'm new to Juniper as well.

 

Rick 

ScreenOS Firewalls (NOT SRX)

Re: 2 Dial up clients originating from 1 ip address

07.28.08   |  
‎07-28-2008 04:56 AM

hi,

 

u have to enable NAT traversing on SSG. Go to VPN->Autokey Advanced->Edit here check NAT traversal

 

Hope this helps

 

 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)

Re: 2 Dial up clients originating from 1 ip address

07.28.08   |  
‎07-28-2008 06:34 AM
I believe you should create a VPN tunnel between the two networks and apply a policy that allows only those two users access to the tunnel, and your network resources.
Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
ScreenOS Firewalls (NOT SRX)

Re: 2 Dial up clients originating from 1 ip address

07.28.08   |  
‎07-28-2008 09:50 AM

Hi Guys,

 

Thanks for that it looks like enabling Nat in VPN > Autokey Advanced >  Gateway > edit

 

Did the trick.

 

Cheers

 

Stephen

ScreenOS Firewalls (NOT SRX)

Re: 2 Dial up clients originating from 1 ip address

09.01.11   |  
‎09-01-2011 03:06 AM

I have a question for you, how are you defining a different policy for each user?