ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

How to route all traffic through dial-up IP Sec using Netscreen remote ?

‎10-12-2008 10:03 AM

Hi,

 

I've succesfully setup dial-up IP Sec using Netscreen remote software.

I can access the LAN behind the SSG.

Now I want to route all traffic through the IP Sec tunnel so that the Internet is reached through the SSG and I have control over the IP Sec's client Internet traffic.

It's like the PPTP options "Client uses default gateway on remote network".

I assume I need to do something with routing on the SSG (Screen OS 6) and something in the settings of the Netscreen Remote software (version 9.3).

 

If someone knows a way to do it or point me towards the right document, thanks very much.

 

Raymond

3 REPLIES 3
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How to route all traffic through dial-up IP Sec using Netscreen remote ?

‎10-12-2008 10:19 AM

I see there's a similar thread;

 

http://forums.juniper.net/jnet/board/message?board.id=Firewalls&message.id=3311&query.id=101565#M3311

 

and tried that.

But how do you config the Netscreen remote client so that it routes all traffic through the tunnel ?

I've changed the remote addressing from 192.168.172.0/24 to 0.0.0.0/0 but after that I cannot make a succesfull connection at all.

 

Raymond

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How to route all traffic through dial-up IP Sec using Netscreen remote ?

‎10-12-2008 09:20 PM

Hi friend,

 

Refer to thread http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=739&view=by_date_ascending&page=1

 

and particularly second page and last page. 

 

Hope this helps. In case of any confusion let me know.

 

Thanks

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How to route all traffic through dial-up IP Sec using Netscreen remote ?

‎10-21-2008 07:34 AM

Re-open.

I can now connect to the trusted zone and reach the Internet over the IP Sec tunnel.

But I still cannot connect to other zones than that.

I've created extra zones and they each have a fysical interface assigned, one of them has BGP enabled and receives additional routes over BGP.

The other one just has /24 network behind it.

In my Netscreen Remote config I route all traffic through the tunnel i.e. 0.0.0.0 0.0.0.0.

I've assigned 192.168.185.100-200 pool for IP Sec Users, the 192.168.185.0/24 is routed towards the null-interface.

 

But when I try to ping an IP in the ABC (BGP enabled) or PABX (standard /24) zone the traffic is denied.

Below is the config of my SSG140 running Screen OS 6 (sensitive data removed or masked) ;

 

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
set preference ebgp 250
set preference ibgp 40
exit
set service "SSH" timeout 480
set service "INOVAWARE_BACKUP" protocol tcp src-port 0-65535 dst-port 9002-9002 timeout 60
set service "CODA" protocol tcp src-port 0-65535 dst-port 1025-1025 timeout 180
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin http redirect
set admin mail alert
set admin mail server-name
set admin mail mail-addr1
set admin auth web timeout 0
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "ABC"
set zone id 101 "EXTERNEN"
set zone id 102 "PABX"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "ABC" tcp-rst
unset zone "EXTERNEN" tcp-rst
unset zone "PABX" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/0 phy full 100mb
set interface ethernet0/1 phy full 100mb
set interface ethernet0/4 phy full 100mb
set interface ethernet0/6 phy full 100mb
set interface ethernet0/7 phy full 100mb
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "PABX"
set interface "ethernet0/2" zone "Null"
set interface "ethernet0/4" zone "EXTERNEN"
set interface "ethernet0/6" zone "Untrust"
set interface "ethernet0/7" zone "ABC"
set interface "tunnel.1" zone "Untrust"
set interface ethernet0/0 ip 192.168.181.253/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.182.253/24
set interface ethernet0/1 nat
set interface ethernet0/4 ip 192.168.183.1/24
set interface ethernet0/4 route
set interface ethernet0/6
set interface ethernet0/6 route
set interface ethernet0/7 ip 172.16.90.66/29
set interface ethernet0/7 nat
set interface tunnel.1 mtu 1500
set interface "ethernet0/6" pmtu ipv4
set interface "ethernet0/7" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/1 ip manageable
unset interface ethernet0/4 ip manageable
set interface ethernet0/6 ip manageable
unset interface ethernet0/7 ip manageable
set interface ethernet0/1 manage ping
set interface ethernet0/1 manage web
set interface ethernet0/4 manage ping
set interface ethernet0/4 manage ssh
unset interface ethernet0/4 g-arp
set interface ethernet0/6 manage ping
set interface ethernet0/6 manage ssh
set interface ethernet0/6 manage ssl
set interface ethernet0/6 manage web
set interface ethernet0/7 manage ping
set interface ethernet0/4 dhcp server service
set interface ethernet0/4 dhcp server auto
set interface ethernet0/4 dhcp server option lease 1440
set interface ethernet0/4 dhcp server option gateway 192.168.183.1
set interface ethernet0/4 dhcp server option netmask 255.255.255.0
set interface ethernet0/4 dhcp server option dns1
set interface ethernet0/4 dhcp server ip 192.168.183.100 to 192.168.183.200
unset interface ethernet0/4 dhcp server config next-server-ip
set flow path-mtu
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain
set hostname
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns3 0.0.0.0
set ippool "MUVPN" 192.168.185.100 192.168.185.200

set policy id 25 name "CODA" from "Trust" to "ABC"  "Any" "Any" "CODA" permit log
set policy id 25
exit
set policy id 24 from "Trust" to "Untrust"  "Any" "Dial-Up VPN" "ANY" tunnel vpn "ikevpntunnel" id 0x5 pair-policy 23 log
set policy id 24
exit
set policy id 23 from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "ikevpntunnel" id 0x5 pair-policy 24 log
set policy id 23
exit
set policy id 18 from "Trust" to "Untrust"  "Any" "Dial-Up VPN" "ANY" tunnel vpn "vpntunnel" id 0x4 pair-policy 17 log
set policy id 18
exit
set policy id 11 name "SMTP_FILTER" from "Trust" to "Untrust"  "Any" "MAILSERVER" "SMTP" permit log
set policy id 11
set dst-address "MAILSERVER_2"
exit
set policy id 19 from "Trust" to "Untrust"  "Any" "Any" "SMTP" deny log
set policy id 19
exit
set policy id 17 from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "vpntunnel" id 0x4 pair-policy 18 log
set policy id 17
exit
set policy id 4 name "Test netwerk naar buiten" from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 4
exit
set policy id 1 from "Trust" to "ABC"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 2 from "ABC" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 2
exit
set policy id 3 from "ABC" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 3
exit

set log session-init
exit
set policy id 12 name "Internet Externen" from "EXTERNEN" to "Untrust"  "Any" "Any" "ANY" nat src permit log
set policy id 12
exit
set policy global id 16 from "Global" to "Global"  "Any" "Any" "ANY" deny log
set policy id 16
exit
set policy id 20 from "Trust" to "PABX"  "Any" "Any" "ANY" permit log
set policy id 20
exit
set policy id 21 from "PABX" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 21
exit
set src-address "Nagios"
set src-address "Ray_Manage"
set src-address "Stat1"
set src-address "Stat2"
set service "SNMP"
set service "TELNET"
exit

set syslog src-interface ethernet0/6
set syslog enable
set firewall log-self
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set router-id 172.16.90.66
set protocol bgp
set aggregate
set enable
set always-compare-med
unset synchronization
set reject-default-route
set neighbor 172.16.90.65 remote-as  outgoing-interface ethernet0/7
set neighbor 172.16.90.65 enable
set neighbor 172.16.90.65 nhself-enable
exit

set route-map name "ACCESS-REDISTRIBUTE" permit 10
set match ip 10
exit
unset add-default-route
set route 192.168.185.0/24 interface null
set protocol bgp
set redistribute route-map "ACCESS-REDISTRIBUTE" protocol connected
set redistribute route-map "ACCESS-REDISTRIBUTE" protocol static
exit
exit
set interface ethernet0/7 protocol bgp
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

When having an IP Sec IP like 192.168.185.100 and I try to ping an IP in either the ABC or PABX zone is see the traffic denied in the log files.

This means the traffic is floating through the IP Sec tunnel but then gets denied if it wants to travel to the ABC or PABX zone, but I can reach the Trust and Untrust zone.

Even though I have policies saying allowed from Trust to ABC and Trust to PABX any to any.

Making policies from Untrust to ABC or Untrust to PABX from 192.168.185.0/2 to any won't work either.

 

Anybody got a clue ?

 

Thanks, Raymond