Screen OS

Dear all,

I am using NetScreen Remote Client in order to connect to a NetScreen 5GT. After making a new Connection with all relevant policies I am unable to see the Connection Name in the Connect option (snap attached for reference).

Anyone's help in this regard would be very appreciable.

Regards,

Akhtar

Hi Akhtar,

I got exactly the same problem on a host where several other IPSec Clients where installed ( Cisco & Nortel ). After uninstalling these products i was able to see something in "Connect to". Hope it could help.

Hi Sylvain,

Thanks for the information !! I need some more help from you. I am unable to Connect to remote location & I do have Remote IP & PreShared Key & its not clear why there are 2 ID_Type in Remote Party Identity & Addressing section.

Your help in this regard would be appreciable.

Regards,

Akhtar

2 ID_Type in Remote Party Identity & Addressing section are for Internal one & external one.

First one (upper one), you can specify for Internal one. e.g.) if you choose IP address, that

should be remote PC's internal IP address. if you choose IP Subnet, that would be a remote

internal network address. if you choose IP range, you can specify certain range of remote

internal IPs, for instance, from 10.10.10.1 to 10.10.10.10 (10 nodes).

the second one (bottom one), you should specify remote FW's untrust IP (5GT's Untrust IP)

I don't know the version of NS Remote, What kind of OS you are using, which version of

NetScreen OS 5GT has, also I don't know how you set up both ends (NS Remote and 5GT)

so, not sure this would help.

T 

Thanks for the helpful information !! I am stuck in Phase-2 negotiation & have verified all parameters for Phase-2 Proposal but Phase-2 is not succeeding any way. Can you please in that. (Log attached)

Regards,

Akhtar

Attachment(s)

IKE1.txt   1 KB 1 version

Hi Akhtar,

Can u tell me the logs on firewall? We can diagnose the problem.

Thanks

I guess proxy-id is mismatching. Tell me :

1) what subnet/subnets/IP/Range of IP u want to access behind the firewall?

2) What Remote party identity and addressing u entered on juniper netscreen remote client?

3) What destination IP u entered on firewall policy for dialup vpn client?

Thanks

You are right Kashif this was a proxy-id mismatch problem. I have fixed the issue. I need to confirm one thing when the VPN Connects I see that I am not part of that IP Pool(say 192.168.0.0/24) which is behind the Firewall but I can access them. Is there any way so that I am assigned these IPs(192.168.0.0/24) so that I am part of the same network ??

Your help is really appreciable

Thanks & Regards,

Akhtar

Attachment(s)

NetScreen_LOGS.txt   432 B 1 version

Hi Akhtar,

Acutally u can get IP and dns etc though Xauthentication but one thing should be clear that user pool (from which dialup vpn client get IP) should not be use any where at firewall. Suppose trust zone subnet is 192.168.1.0/24 and using Xauthentication dialup vpn user get IP from 192.168.1.0/24 then when dialup vpn user access any ip from 192.168.1.0/24 then reverse traffic towards dialup vpn client from that ip vl be forwarded out of trust interface (through route lookup) because firewall vl assume that subnet is on trust zone interface. This problem is know as Asymmetric routing.

I hope u understood.

Thanks

Yes Kashif i got your point. Can you please share your point when a Remote VPN Client is behind a NAT/PAT Router the VPN is able to establish successfully but I cant access the the devices behind the NetScreen Firewall. I am able to access the said subnet when I am not behind a NAT/PAT box.

Your help in this regard would be appreciable.

Regards,

Akhtar

Akhtar,

Actually if netscreen remote client is behind the NAT/PAT device then there can be problem in establishing vpn between netscreen remote client and firewall. The solution is on firewall enable NAT traversing (VPN->Autokey Advance->Gateway->Edit->Advance->here check Enable NAT-Traversal

u said there is no problem in establishing vpn. So i guess check the route (For subnet behind the firewall) on NAT/PAT device. I guess u that can be a problem so add route on NAT/PAT device for subnet behind the firewall and next hop is firewall.

Let know the outcome. Thanks

Thanks Kashif for all your time and support. NAT-T check worked !! again thanks for the help. One more thing I would like to confirm is what if a NetScreen box is behind a NAT/PAT box. Do we still need to enable that NAT-T check ??

Thanks & Regards,

Akhtar

Akhtar

If firewall is behind the NAT/PAT device then there are two possibilities:

1) If other end is netscreen remote client u dont need to do any thing, netscreen remote auto detect it that firewall is behind the NAT/PAT device

2) If other end is also other firewall then u need to enable NAT-Traversal on this firewall

Thanks

Dear Kashif,

I would need your help again. I am stuck now in a different thing. Now Remote VPN Client is trying to connect to ISG-2000. So I have created a separate VSYS for this purpose on ISG-2000 & all done all the required configs as I did for NetScreen 5-GT. Now ISG-2000 is showing some thing different in LOGS(attached). Similar Configs worked for NetScreen setup but here it is making problems.

Your hepl in this regard would be highly appreciable.

Regards,

Akhtar

Attachment(s)

LOG-ISG-2000.txt   843 B 1 version

Hi Akhtar,

This particular error means "ur outgoing interface which u configured under VPN->Autokey Advanced->Gateway>Advanced" so correct ur outgoing interface (the interface on which netscreen remote client vl hit the ISG).

let me know the outcome

Thanks

Kashif 

Kashif, I am using the right interface but that Interface is behind a NAT device. So that real IP gets translated into a private one(assigned on ISG-2000 interface). Hope this helps you further.

Regards,

Akhtar

Akhtar,

Can u post the configuration of ISG?

Thanks

Kashif

Akhtar,

I guess u should check the NATTING . You are using interface aggregate1.5:1 in VPN configuration as outgoing interface whose ip is 172.16.71.11/29. So ur NAT should be public IP<->172.16.71.11/29 (Not 172.16.71.12/29 which is the IP of interface aggregate1.5:2)

Please check this and let me know the outcome.

Thanks

Kashif 

I have rechecked the NATTING it is configured fine. Even packets are also landing on aggregate1.5:1 but ISG-2000 is rejecting IKE packets. I think we have to modify some configs on Remote access client in REMOTE PARTY IDENTITY & ADDRESSING. In this field I think we have to some how specify private IP assigned on aggregate 1.5:1.

One more thing which I want to let you know is I can even ping the public IP from the Remote access client PC.

In case you come to know about some thing do let me know.

If you can also let me know your email address.

Regards,

Akhtar

What kind of PC/ laptop?