Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.
Back to discussions
Expand all | Collapse all

Questions About Remote VPN

  • 1.  Questions About Remote VPN

    Posted 11-12-2007 05:06
    can you please help me with these issues :

    1. whatever i configure identity on the firewall.. the remote user can login with any name !! why is that ?

    2. how can i use cisco vpn client and juniper at the same pc ?

    3. can the remote user change the password remotely ?
    #cisco
    #remote
    #vpn


  • 2.  RE: Questions About Remote VPN

    Posted 11-13-2007 13:19
    More information is needed to help answer your questions.  See below...
     
    "1. whatever i configure identity on the firewall.. the remote user can login with any name !! why is that ?"
     
    Not sure what you mean here. Could you please elaborate? What exactly is configured on the firewall and what is configured on the client?

    2. how can i use cisco vpn client and juniper at the same pc ?
     
    You may run into an issue if the Cisco VPN client also uses IPSec which I believe does. The reason is you will likely have a conflict as both software will attempt to control Windows IKE feature.

    3. can the remote user change the password remotely ?
     
    Which password? How are users authenticating now? Are you referring to xauth authentication? If so what auth method is being used on your firewall side (i.e. Radius, local user, SecurID, etc.)?


  • 3.  RE: Questions About Remote VPN

    Posted 11-14-2007 01:36
    thank you rkim for taking care of this,

    well..

    1. for example i use tariq@tariq.com as the simple identity, on the remote netscreen.. if i entered sako@sako.com i still can login with the user tariq.. !!!

    2. yes the both are using ipsec service, is there anyway to let them both work on the same pc !!?

    3. its xauth and locally, can the user change it ?

    thanks a lot for your time.


  • 4.  RE: Questions About Remote VPN
    Best Answer

    Posted 11-17-2007 00:17
    See my responses below:
     
    "1. for example i use tariq@tariq.com as the simple identity, on the remote netscreen.. if i entered sako@sako.com i still can login with the user tariq.. !!!"
     
    How is the IKE gateway configured on the Firewall? Is it configured with IP address or as a dynamic user? If by IP address then it would not matter what email you send for IKE user ID. If the public IP address of the client matches the IP address configured on the Firewall then it uses the IP to identify IKE user and not u-FQDN.
     
    "2. yes the both are using ipsec service, is there anyway to let them both work on the same pc !!?"
     
    Not likely both software can co-exist on the same machine. The two software can conflict with each other on the PC causing performance issues and unpredictable behavior in the best case and blue screens in the worst case. The NS-Remote Installation Guide specifically states to uninstall any other vendor VPN client apps.
     
    "3. its xauth and locally, can the user change it ?"
     
    Local xauth users and passwords cannot be changed by the user. This can only be changed by a Firewall administrator logged into the Firewall via CLI or Web. This may be possible if xauth was via Radius with an Active Directory on the back end. But with local users, this is not possible.


  • 5.  RE: Questions About Remote VPN

    Posted 11-17-2007 00:33
    the vpn is through user not IP.. i tested the problem on another firewall and it didnt appear !! it seems that OS of the firewall should be upgraded.. cause its 5.0.. what do you think !!


  • 6.  RE: Questions About Remote VPN

    Posted 11-17-2007 09:29
    Exactly what hardware platform and ScreenOS version are you currently running?


  • 7.  RE: Questions About Remote VPN

    Posted 11-17-2007 23:06
    well.. it is ISG1000.. and screen os is 5.0 i cant remember the rest. so you think its os bug !!


  • 8.  RE: Questions About Remote VPN

    Posted 11-18-2007 13:25
    5.0 is old code and no longer under engineering support. But nevertheless the functionality of which you speak is pretty basic and should still work. Could you post your relevant VPN configs?


  • 9.  RE: Questions About Remote VPN

    Posted 11-18-2007 23:16
      |   view attached
    Dear rkim, i attached to you the vpn configuration, thank you so much for the great support.
    #Identity
    #xauth
    #remote
    #vpn

    Attachment(s)

    txt
    1111.txt   855 B 1 version


  • 10.  RE: Questions About Remote VPN

    Posted 11-19-2007 22:17
    I don't see a problem with your configs per se. Do you have any other VPNs configured? If so are any of the gateway IP addresses overlapping with your VPN client host public IP? Perhaps you could run "debug ike detail" and capture an instance of your VPN client connection. I suspect that you have other IKE gateways configured and that you are reaching that IKE gateway and not the dynamic host one you posted.


  • 11.  RE: Questions About Remote VPN

    Posted 11-21-2007 04:03
    hello rkim, well.. first of all.. i asked from the customer to issue the debug then start the remote connection and there is no output at all. clear.. and about the VPNs.. there is another Route Based vpn configured with static gateway. and the dialup one. is there anything else i can do be useful to you to finalize this issue!!


  • 12.  RE: Questions About Remote VPN

    Posted 11-21-2007 16:28
    "hello rkim, well.. first of all.. i asked from the customer to issue the debug then start the remote connection and there is no output at all."
     
    Did you run command "get db stream"? This is required for outputting any debug commands. Debugs do not automatically write to a CLI window. Assuming you ran "debug ike detail" and let the VPN connect, then once it completes run "get db stream" to view the output.
     
    BTW, have you tried going through the Juniper Networks VPN troubleshooting flow? This can be very useful for any VPN troubleshooting. To get to the VPN troubleshooting flow, start here: http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm 


  • 13.  RE: Questions About Remote VPN

    Posted 12-02-2007 23:35
    hello rkim, sorry for being late on you, but i'm still waiting from the customer, he is traveling somewhere so i was unable to get info from him, i will be back to you soon.


  • 14.  RE: Questions About Remote VPN

    Posted 12-05-2007 02:21
    2. how can i use cisco vpn client and juniper at the same pc ?

    You can install both Cisco VPN client as well as NS Remote client at the same PC. If you are using Cisco VPN client regularly, just change the startup option of the services called SafeNet IKE Service and SafeNet Monitor Service to MANUAL instead of automatic.

    Just note that if you are going to use NS Remote, disable Cisco System VPN service and start the 2 SafeNet services.

    Cheers
    CT