Screen OS

Hi All,

I'm looking for some help and guidance regarding an issue with Route based IPSEC VPN Config between SSG-550M and Cisco ASA.

From the get sa output, its A/D, however traffic is passing through it. The Remote end verified and they are able to reach my Trust NW.

Posting the config below for reference:
(Software Version: 6.3.0r17b.0, Type: Firewall+VPN)

X.X.X.X & Y.Y.Y.Y are Public IPs.
Proxy-id - Unchecked

tunnel.5 is ip unnumbered interface (loopback.10)

set vpn "VPN_NAME" gateway "VPN_NAME_GW" no-replay tunnel idletime 0 sec-level standard
set vpn "VPN_NAME" monitor
set vpn "VPN_NAME" id 0x22 bind interface tunnel.5
set vpn "VPN_NAME" proxy-id local-ip 10.0.7.0/24 remote-ip 10.0.4.0/24 "ANY"

set ike gateway "VPN_NAME_GW" address Y.Y.Y.Y1 Main outgoing-interface "loopback.10" preshare "PRESHARE-KEY" sec-level compatible

set route 10.0.4.0/24 interface tunnel.5

set address "Untrust" "Y.Y.Y.Y/29" Y.Y.Y.Y 255.255.255.248
set address "Untrust" "10.0.4.0/24" 10.0.4.0 255.255.255.0

set policy id 98 from "Untrust" to "Untrust" "Y.Y.Y.Y/29" "X.X.X.X1/32" "ANY" permit log
set policy id 98a from "Untrust" to "Untrust" "10.0.4.0/24" "X.X.X.X1/32" "ANY" permit log

set policy id 01 from "Untrust" to "Trust" "Y.Y.Y.Y/29" "10.0.7.0/24" "ANY" permit log
set policy id 01a from "Untrust" to "Trust" "10.0.4.0/24" "10.0.7.0/24" "ANY" permit log

set policy id 03 from "Trust" to "Untrust" "10.0.7.0/24" "Y.Y.Y.Y/29" "ANY" permit log
set policy id 03a from "Trust" to "Untrust" "10.0.7.0/24" "10.0.4.0/24" "ANY" permit log

Also how do I enable PFS in Screen OS and is it a global option or can I enable it specific to this VPN without affecting other VPNs that are in production.

Thanks in advance for Your help.

Best Regards,

Hi,

If your query is about A/D then please cehck below from KB :https://kb.juniper.net/InfoCenter/index?page=content&id=KB6134&actp=METADATA 

A/D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings.  This could be happening because the device that is being pinged is down or has ping disabled.  This could also be happening if the other side of the VPN is not a NetScreen/Juniper Firewall.

If you are using not ScreenOS device then please configure VPN monitor with IPs which can ping each other, or need not to use it.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB8530&cat=IPSEC&actp=LIST

To enable PFS you need to configure  DH group instead of no-pfs in your phase-2 proposal.

Thanks,

Vikas

Hi Vikas,

Thanks for Your reply. 

I had allowed the ping inbound before vpn config. And I was able to ping the remote end GW IP as well. 

Yes, the remote end device is not Netscreen/Juniper, its Cisco FWSM. So since the traffic is passing through even though the state is A/D, should I consider it be a normal working scenario ?

I tried removing the Proxy IDs configured on my end, because in one of the event messages it said Proxy ID mismatch. However when I removed, the SA assocation went I/I. Hence added it back to make it A/D. But didn't see the error again.  This resulted in new pair of SA assocations showing in the get sa. The previous ones were listed as expired. 

I'm configuring with IKEv1 and I didn't found the option for PFS. (Software Version: 6.3.0r17b.0).

Please let me know. 

Thanks & Regards.

ishaik

Hi Ishaik,

You should be able to use DH group under below stanza and call this proposal in your VPN config.

>set ike p2-proposal test ?
ah AH protocol
esp ESP protocol
group1 DH Group 1
group14 DH Group 14
group19 ECDH prime curve 256 bits
group2 DH Group 2
group20 ECDH prime curve 384 bits
group5 DH Group 5
no-pfs NO PFS in Phase 2

set vpn "VPN_NAME" gateway "VPN_NAME_GW" no-replay tunnel idletime 0 proposal <p2 proposal>

As I mentioned earlier, to make VPN monitor working please configure the complete flow ( source interface and  destination IP etc) , you  may also need to have security policy in place to allow this traffic. 

Do you see if the VPN monitor is failing in the "get event" output ? and if VPN monitor is not needed then you can simply delete the monitoring config.

For proxy-id , either please make sure both have the same proxy-id or you can try disabling it. e.g. "unset vpn test proxy-id check "

Thanks,

Vikas

Hi Vikas,

Thanks for Your reply again. 

I will disable the VPN monitor as the other end is able to see Phase 2 Up and able to ping in both directions end-to-end. The remote end is Cisco FWSM and they aren't configuring proxy IDs.

I've configured the below Policies. 

set address "Untrust" "Y.Y.Y.Y/29" Y.Y.Y.Y 255.255.255.248
set address "Untrust" "10.0.4.0/24" 10.0.4.0 255.255.255.0

set policy id 98 from "Untrust" to "Untrust" "Y.Y.Y.Y/29" "X.X.X.X1/32" "ANY" permit log
set policy id 98a from "Untrust" to "Untrust" "10.0.4.0/24" "X.X.X.X1/32" "ANY" permit log

set policy id 01 from "Untrust" to "Trust" "Y.Y.Y.Y/29" "10.0.7.0/24" "ANY" permit log
set policy id 01a from "Untrust" to "Trust" "10.0.4.0/24" "10.0.7.0/24" "ANY" permit log

set policy id 03 from "Trust" to "Untrust" "10.0.7.0/24" "Y.Y.Y.Y/29" "ANY" permit log
set policy id 03a from "Trust" to "Untrust" "10.0.7.0/24" "10.0.4.0/24" "ANY" permit log

I have attached a sample screenshot of the GUI,  and it doesn't have an option for PFS ? (enable/disable).

I did not check the Proxy-ID check box.

Also, how about allowing more NWs from trust zone from either side through same VPN ? 

From SSG end: 

Defining destination routes and allowing them in the policies ? 

or Do I also need to include them in another proxy id pair ?  

Thanks & Regards,

Ishaik

Hello Ishaik,

About PFS - please check Vikas's post again. PFS is not a checkbox in ScreenOS. It is a part of your proposal set. In your screenshot, I see both proposals use Group-2, which means PFS is enabled. If you click the drop down, you will see some proposals (shown already by Vikas) which have 'no-pfs'. As long as you are using proposals that do not contain the no-pfs keyword, PFS is enabled.

Since the other end is a non-ScrenOS box, I'd advice that you add individual proxy-IDs for every subnet you like to talk via the VPN. If there are too many subnets, see if you can configure a 0.0.0.0/0 proxy-id on both sides.

Hi Gokul,

Thanks for the clairification. I've checked the drop down and found there are few with "nopfs." Since I'm already using G2 in the proposal, which means PFS is included/enabled. 

Regarding the Proxy IDs - Yes there are too many subnets on both ends that need to be allowed . I tried confugring the 0.0.0.0/0 for the remote IP, but it made the sa assocation inactive. I checked with the other end and they aren't configuring any proxy IDs.

Also adding individual proxy IDs will add another association in SA ? Because i tried to add and later removed and a new pair of sa association got added and it shows up as expired. 

Thanks Vikas and Gokul for all the clarification and help. 

Best Regards,

Ishaik

Hi Ishaik,

AFAIK, there is no 'no proxy-id' - definitiely not on the Cisco boxes. If they had configured an accept-all proxy-id, then your VPN would have some up whith 0.0.0.0/0 as proxy ID.

If you want to test, just try injecting traffic for a new remote subnet (say 10.0.10.0/24) into the VPN by setting a route for this subnet pointing to tunnel and adding the permit policies as required.

If it comes to configuring new proxy-IDs, yes - you are right. Every proxy-ID pair will bring up its own SA.