Screen OS

Hi - Have a Netscreen 5-gt running 5.3 firmware. I have issues when trying to create a dial up vpn user using ike with pre-shared keys.

After going through simple steps ----> http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&article_id=KB4769

When I get to step 5 I cannot create the policy as the dropdown selection dialupvpn for 'tunnelt does not display as a selection in the selection.

I have done it - redone it over and over and nothing.

The setup is a DSL in bridge mode. To this firewall I also have the exact same firewall at another location with static ip and site to site vpn works great with these two firewalls but want to create a dial up caller to one of them.

Hi,

Can you post your config, remember to mask IP addresses and passwords

Regards

Andy

set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "FTP-DATA" protocol tcp src-port 1-65535 dst-port 20-20
set service "z_RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "name"

set admin manager-ip 63.*****131 255.255.255.255
set admin manager-ip 192.168.1.0 255.255.255.0
set admin manager-ip 192.168.254.0 255.255.255.0
set admin manager-ip 76.*******255.255.255.255
set admin manager-ip 12.*******255.255.255.255
set admin port 8080
set admin auth timeout 20
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.2.254/24
set interface trust nat
set interface untrust ip 75.********
set interface untrust route
set interface tunnel.1 ip unnumbered interface untrust
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface untrust vip untrust 21 "FTP" 192.168.2.2
set interface untrust vip untrust 20 "FTP-DATA" 192.168.2.2
set flow tcp-mss
set flow all-tcp-mss 1304
unset flow tcp-syn-check
set hostname *****

set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "192.168.2.0/24" 192.168.2.0 255.255.255.0
set address "Trust" "63.***" *****255.255.255.255
set address "Trust" "75.******** *******255.255.255.255
set address "Trust" "75.*******" *******255.255.255.255
set address "Trust" "75.********" ********255.255.255.255
set address "Trust" "75.****** 75.*****255.255.255.255
set address "Trust" "Concord_Net" 192.168.2.0 255.255.255.0
set address "Trust" "Internal Net" 192.168.2.0 255.255.255.0 "Local LCO Lan"
set address "Untrust" "Concord_Net" 192.168.1.0 255.255.255.0
set address "Untrust" "Delavan_Ext" 12.***********255.255.255.255
set address "Untrust" "Factor_External" 75*********.255.255.255
set address "Untrust" "Factor_Net" 63.*******255.255.255.224
set address "Untrust" "Geneva_Net" 192.168.254.0 255.255.255.0
set user "joe" uid 2
set user "joe" ike-id u-fqdn "joe@someplace.com" share-limit 1
set user "joe" type  ike
set user "joe" "enable"
set ike gateway "Geneva GW" address 67.*********Main outgoing-interface "untrust" preshare "prl+ZNa4NaTlbuslDXCSdKau5CnRJjG2Hw==" proposal "pre-g2-3des-sha"
set ike gateway "Concord GW" address 63.*********Main outgoing-interface "untrust" preshare "2PxFIATZN124SLsOGhC1DCxLz5ntWQxpRg==" proposal "pre-g2-3des-sha"
set ike gateway "vpngateway1" dialup "pete" Main outgoing-zone "V1-Trust" preshare "i8JcBRB2NA2pwps5lQCS/ba1JOnOdBFNhQ==" proposal "pre-g1-des-md5"
unset ike gateway "vpngateway1" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Geneva GW" gateway "Geneva GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "Geneva GW" monitor
set vpn "CONCORD GW" gateway "Concord GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "CONCORD GW" monitor
set vpn "dialupvpn1" gateway "vpngateway1" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5"
set url protocol sc-cpa
exit
set policy id 12 name "Truck access" from "Untrust" to "Trust"  "Any" "75.******" "HTTP" nat dst ip 192.168.2.17 permit log
set policy id 12
set service "ICMP-ANY"
set service "z_RDP"
set log session-init
exit
set policy id 6 name "Factor Access" from "Untrust" to "Trust"  "Delavan_Ext" "75.**********" "FTP" nat dst ip 192.168.2.10 permit log
set policy id 6
set src-address "Factor_Net"
set service "FTP-DATA"
set service "ICMP-ANY"
set service "TELNET"
exit
set policy id 8 name "Geneva VPN" from "Untrust" to "Trust"  "Geneva_Net" "192.168.2.0/24" "ANY" tunnel vpn "Geneva GW" id 2 pair-policy 7 log
set policy id 8
set log session-init
exit
set policy id 7 name "Geneva VPN" from "Trust" to "Untrust"  "192.168.2.0/24" "Geneva_Net" "ANY" tunnel vpn "Geneva GW" id 2 pair-policy 8 log
set policy id 7
set log session-init
exit
set policy id 10 name "LCO to CONCORD VPN" from "Trust" to "Untrust"  "192.168.2.0/24" "Concord_Net" "ANY" tunnel vpn "CONCORD GW" id 5 pair-policy 11 log
set policy id 10
set log session-init
exit
set policy id 9 from "Trust" to "Untrust"  "192.168.2.0/24" "Any" "ANY" permit log
set policy id 9
set log session-init
exit
set policy id 11 name "LCO to CONCORD VPN" from "Untrust" to "Trust"  "Concord_Net" "192.168.2.0/24" "ANY" tunnel vpn "CONCORD GW" id 5 pair-policy 10 log
set policy id 11
set log session-init
exit
set pppoe name "untrust"
set pppoe name "untrust" username "***************

" password "**********
set pppoe name "untrust" interface untrust
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset ssl enable
set ntp server "pool.ntp.org"
set ntp server src-interface "untrust"
set ntp server backup1 " 0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 120
set ntp max-adjustment 300
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.254.0/24 interface tunnel.1 preference 20
set route 192.168.1.0/24 interface tunnel.1 preference 20
set route 75.******interface trust preference 20
set route 75.*******interface trust preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Hi,

Your vpn gateway has been bound to the V1-Trust zone, it needs to be bound to untrust interface.

set ike gateway "vpngateway1" dialup "pete" Main outgoing-zone "V1-Trust" preshare "i8JcBRB2NA2pwps5lQCS/ba1JOnOdBFNhQ==" proposal "pre-g1-des-md5"

Change that first and see if you sill have problems

Regards

Andy