Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  NetScreen-5GT NAT-T problem.

    Posted 09-07-2009 04:50

    Hi,

     

    I'm having trouble with an IPSec VPN connection between a NAT'd Linux client (ipsec-tools 0.7.1, kernel 2.6.22.19) and a NetScreen 5GT (firmware 5.0.0r6.e).

     

    The client and the firewall negotiate a connection and I can see packets being encrypted and decrypted at the client end. At the firewall end, the packets from the internal network are encrypted properly and sent on to the client, however, the ESP/UDP packets from the client seem to be rejected rather than decrypted.

     

     When the client's packets hit the firewall external interface a packet is generated in the other direction that Wireshark doesn't seem to the able to decode properly:

     

     User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
        Source port: isakmp (500)
        Destination port: isakmp (500)
        Length: 148
        Checksum: 0x0000 (none)
            Good Checksum: False
            Bad Checksum: False
    UDP Encapsulation of IPsec Packets
        Non-ESP Marker
    Internet Security Association and Key Management Protocol
        Initiator cookie: 000000000316DC43
        Responder cookie: 000000145BB1114D
        Next payload: UNKNOWN-ISAKMP-VERSION (2)
        Version: 8.7
        Exchange type: UNKNOWN-ISAKMP-VERSION (246)
        Flags: 0x33
        Message ID: 0xc4dbd891
        Length: 1549818119
        Encrypted payload (1549818091 bytes)

     

     I have the NetScreen configured for a policy based VPN with the follow settings:

     

    Remote ID: Dialup user
    Mode: Aggressive 
    NAT-T: enabled
    Phase 1: pre-g2-aes128-sha
    Phase 2: nopfs-esp-aes128-sha

     

     

    If I disable the NAT on the client side (i.e. give it a public IP), the VPN comes up without NAT-T and the traffic flows correctly in both directions without any change to the configuration.

     

    Can anyone help?

     

    Thanks,

     

    Gordon. 



  • 2.  RE: NetScreen-5GT NAT-T problem.

    Posted 09-08-2009 15:15

    Check the NAT-T is enable on the firewall :

    http://kb.juniper.net/KB4022

     

     

    For trooubleshooting , please follow this KB:

    http://kb.juniper.net/KB9221

     

    Please paste the "get event" , "get conf" and debug ike detail with the help of the above KB9221.

     

    Thanks

    Atif



  • 3.  RE: NetScreen-5GT NAT-T problem.
    Best Answer

    Posted 09-09-2009 03:01

    Hi Arizvi,

     

    Thanks for pointing me at those articles. I've been doing some more testing yesterday and this morning. It looks like the problem I'm having is some sort of incompatibility between the version of the Linux client I'm using and the firmware version of the firewall.

     

    When I try a newer firewall with the same client and configuration everything works fine. If I try a newer version of the client with the old firewall and the same configuration, it also works fine. I think it might be a bug in the NAT-T implementation on the client side.

     

    As I can get things working by upgrading either the firewall or the client I guess I'll just put this down as something to look out for in the future.

     

    Thanks for your help!

     

    Gordon.