ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Android VPN to Juniper SSG

04.17.17   |  
‎04-17-2017 01:21 AM

Hi,

 

Since few days I am trying to find an answer is it possible to connect from Android to Juniper SSG / NetScreen via VPN?

If it's possible, can someone share some howto please? I see that there is a howto for iOS for example:

https://forums.juniper.net/jnet/attachments/jnet/Firewalls/30984/4/Apple%20VPN%20and%20Juniper%20ScreenOS.pdf

but I couldn't find similar thing for Android.

 

I made several attempts to make VPN working with android, but without any luck. For Windows PC I am using good old Shrew, but there is no (?) similar client for android. Or maybe I am wrong? Anyone knows a good client for Android that works with SSG? The built-in VPN android client does not work for me. I am using Android version 6.

 

Thanks for any answer,

mkola

 

7 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Android VPN to Juniper SSG

04.24.17   |  
‎04-24-2017 11:43 PM

Anyone?

ScreenOS Firewalls (NOT SRX)

Re: Android VPN to Juniper SSG

04.26.17   |  
‎04-26-2017 09:20 PM

HI,

 

I don't see any document for the Android based VPN clinet howevever we can try to help you establish this VPN.

 

1: Do you already have dialup VPNs working using shrewsoft? IKE V1 or IKE V2 ?

2: This document talks about IKEV2 implemantation however the Android client seens to be IKE V1.

 

If you have configured the IKEv1 on the firewall and android client fails then do you see any log in the "get event" for the failed VPN?

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: Android VPN to Juniper SSG

04.26.17   |  
‎04-26-2017 09:57 PM

YOu can also try test 3 along with strongswan VPN client if you want to use IKEv2 .

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: Android VPN to Juniper SSG

04.27.17   |  
‎04-27-2017 02:33 AM

Hi Vikas,

 

Many thanks for reply.

Yes, I have working DialUP VPN using shrew and it is IKEv1.

 

This is what I see in logs during failed connection attempt:

 

2017-04-27T11:27:27.978319+02:00 firewall: NetScreen firewall [Root]system-information-00536: IKE A.B.C.D Phase 1: Responder starts AGGRESSIVE mode negotiations. (2017-04-27 11:27:27)
2017-04-27T11:27:27.978399+02:00 firewall: NetScreen firewall [Root]system-information-00536: IKE A.B.C.D phase 1:The symmetric crypto key has been generated successfully. (2017-04-27 11:27:27)
2017-04-27T11:27:31.093460+02:00 firewall: NetScreen firewall [Root]system-information-00536: IKE A.B.C.D Phase 1: Responder starts AGGRESSIVE mode negotiations. (2017-04-27 11:27:30)
2017-04-27T11:27:31.093460+02:00 firewall: NetScreen firewall [Root]system-information-00536: IKE A.B.C.D phase 1:The symmetric crypto key has been generated successfully. (2017-04-27 11:27:30)
2017-04-27T11:27:31.206171+02:00 firewall: NetScreen firewall [Root]system-information-00536: Rejected an IKE packet on ethernet0/9 from A.B.C.D:37049 to W.X.Y.Z:4500 with cookies 858ce27d53a5c903 and 06e9ca642833dad8 because The peer sent a packet with a message ID before Phase 1 authentication was done. (2017-04-27 11:27:30)

 

 

 

I will try with the strong swan as you have suggested and let you know.

 

 

Thanks,

Mathias

ScreenOS Firewalls (NOT SRX)

Re: Android VPN to Juniper SSG

04.27.17   |  
‎04-27-2017 03:20 AM

Hi Vikas,

 

I tried StrongSwan but it also doesn't work:

 

2017-04-27T12:15:14.265221+02:00 firewall firewall: NetScreen device_id=firewall  [Root]system-information-00536: Rejected an IKE packet on ethernet0/9 from W.X.Y.Z:500 to A.B.C.D:34634 with cookies 618a5fde85eb8615 and c471c3c1d33f4163 because There were no acceptable Phase 1 proposals. (2017-04-27 12:15:13)

 

I don;t think it will work. In "howto" from my first post there is something like local and remote identifier. In StrongSwan I cannot configure local identifier - only remote one (which is not enough).

 

Do you know any IKEv1 client for android that should work with SSG?

 

Thanks,

Mathias

ScreenOS Firewalls (NOT SRX)

Re: Android VPN to Juniper SSG

04.27.17   |  
‎04-27-2017 08:10 AM

Hi,

 

It seems to be local id issue. Can you please check below settings if it works:

 

1: in you Android client, can you try configuring IPSec identifier same as the ikeID user in the netscreen.

 

2: OR User/Group name same as in IKE gateway config?

 

3: Are you using any local id in the IKE gateway config?

 

4: Strongswan is not working because it's using ikeV2.

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: Android VPN to Juniper SSG

04.28.17   |  
‎04-28-2017 05:11 AM

Hi Vikas,

 

I have checked the settings you have asked me to:

 

> 1: in you Android client, can you try configuring IPSec identifier same as the ikeID user in the netscreen.

 Yes, I did that. Without exactly the same identifier on Android as my user has on Netscreen I am getting:

 

2017-04-28T12:10:35.774333+02:00 firewall firewall: NetScreen device_id=firewall  [Root]system-information-00536: Rejected an IKE packet on ethernet0/9 from W.X.Y.Z:26637 to A.B.C.D:500 with cookies 0a063e6232e4fcd6 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway. (2017-04-28 12:10:35)

 

So yes, I have proper identifier on Android.

 

> 2: OR User/Group name same as in IKE gateway config?

 This I do not understand.

 

> 3: Are you using any local id in the IKE gateway config?

No. 

 

> 4: Strongswan is not working because it's using ikeV2.

Yes, StrongSwan is using ikev2 that is why I have configured new VPN config for ikev2 according to howto from my first post. And it is working perfectly fine with iOS devices. But not with StrongSwan on my Android.