Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Two subnets in policy based VPN

    Posted 09-10-2010 00:58

    Hi all,


    I have policy based VPN on ssg-5 to Cisco - all working fine.

    But now customers with which have cisco, create dialup VPN access to their office (cisco clients with different subnet) and want to access servers behind ssg-5 from new dialup subnet.

    I tried to create second policy for this vpn, but got:

    IKE x.x.x.x Phase 2: Negotiations have failed. Policy-checking has been disabled but multiple VPN policies to the peer exist.

     

     

     

    what is the correct way on SSG-5 to allow remote  "Cisco dialup IP subnet" to access servers through VPN?

     

    Thanks!

     



  • 2.  RE: Two subnets in policy based VPN

    Posted 09-10-2010 03:30

    The way I would do it is create another phase 1 gateway and phase 2 VPN and then allow the seperate network over that Tunnel.



  • 3.  RE: Two subnets in policy based VPN

    Posted 09-10-2010 03:46

    Hi,

     

    SSG-5 do not allow create second gateway with same IP address with error "Dublicate peer IP address" - I already tested it.

     

    Thanks.

     

     



  • 4.  RE: Two subnets in policy based VPN

    Posted 09-10-2010 04:29

    You can bind multiple policy tunnels to the same gateway/autokey pair.  I have this running in a number of sites connecting to non-juniper policy based VPNs.  Naturally the remote site has to add these to their local connection policy too.

     

    • You need to leave the proxy id blank in the autokey object
    • You create Policy objects (addresses and policy) with the tunnel option and bind to the same autokey vpn
    • ScreenOS will then create the multiple proxy from your policies and connect


    Examples:
    set vpn "RemoteSite" gateway "RemoteGateway" no-replay tunnel idletime 0 sec-level compatible

    set policy id 40 name "VPNtoRemote1" from "Trust" to "Untrust"  "LocalLAN" "RemoteLAN1" "ANY" tunnel vpn "RemoteSite" id 0x57 pair-policy 41 log
    set policy id 40
    exit
    set policy id 42 name "VPNtoRemote2" from "Trust" to "Untrust"  "LocalLAN" "RemoteLAN2" "ANY" tunnel vpn "SungardPhase2" id 0x58 pair-policy 43 log
    set policy id 42
    exit
    set policy id 41 name "VPNtoRemote1" from "Untrust" to "Trust"  "RemoteLAN1" "LocalLAN" "ANY" tunnel vpn "RemoteSite" id 0x57 pair-policy 40 log
    set policy id 41
    exit
    set policy id 43 name "VPNtoRemote2" from "Untrust" to "Trust"  "RemoteLAN2" "LocalLAN" "ANY" tunnel vpn "RemoteSite" id 0x58 pair-policy 42 log
    set policy id 43
    exit



  • 5.  RE: Two subnets in policy based VPN

    Posted 09-10-2010 05:23

    Hi,

     

    my configuration is:

     

     

    set address "Untrust" "customer-ee" 192.168.9.0 255.255.255.0
set address "Untrust" "customer-ee-vpn" 192.168.11.0 255.255.255.0
set vpn "customer-EE-VPN" gateway "customer-EE-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" 
set policy id 37 from "Trust" to "Untrust"  "DC-NET" "customer-ee-vpn" "ANY" tunnel vpn "customer-EE-VPN" id 0x12 pair-policy 36 log 
set policy id 36 from "Untrust" to "Trust"  "customer-ee-vpn" "DC-NET" "ANY" tunnel vpn "customer-EE-VPN" id 0x12 pair-policy 37 log 
set policy id 35 from "Trust" to "Untrust"  "DC-NET" "customer-ee" "ANY" tunnel vpn "customer-EE-VPN" id 0x10 pair-policy 34 log 
set policy id 34 from "Untrust" to "Trust"  "customer-ee" "DC-NET" "ANY" tunnel vpn "customer-EE-VPN" id 0x10 pair-policy 35 log

     

    but when I add policy for second subnet VPN is down and error is:

     

     

    IKE x.x.x.x Phase 2 msg ID f3993bff: Negotiations have failed.
IKE x.x.x.x Phase 2: Negotiations have failed. Policy-checking has been disabled but multiple VPN policies to the peer exist.
IKE x.x.x.x Phase 2: Received a message but did not check a policy because id-mode was set to IP or policy-checking was disabled.
IKE x.x.x.x Phase 2 msg ID f3993bff: Received responder lifetime notification. (0 sec/4608000 KB)
IKE x.x.x.x Received a notification message for DOI 1 24576 RESPONDER-LIFETIME.
IKE x.x.x.x Phase 2: Initiated negotiations.

     

     

    what should I change?

     

    Thanks!

     

     

     

     



  • 6.  RE: Two subnets in policy based VPN
    Best Answer

    Posted 09-11-2010 05:47

    Interesting, I've never seen that before so I checked the Message Log Reference Guide.

     

    Message IKE 〈none〉 Phase 2: Negotiations have failed. Policy-checking has
    been disabled but multiple VPN policies to the peer exist.


    Meaning An admin has disabled policy-checking although multiple access
    policies for VPN traffic to the specified peer exist. Consequently,
    the IKE module cannot find the correct security association (SA) for
    traffic covered by each policy. Note: Policy-checking must be enabled
    if multiple policies for VPN traffic to the same gateway exist.


    Action Enable policy-checking or limit one policy per remote gateway.
    set ike policy-checking

     

    --------
    I don't see this command in any of my config files so it must be a default set that has become unset on your box by some option.



  • 7.  RE: Two subnets in policy based VPN

    Posted 09-12-2010 23:06

    Hi,

     

     

    thanks Spuluka!

    Now all is fine.