Quantcast
Channel: All ScreenOS Firewalls (NOT SRX) posts
Viewing all 2577 articles
Browse latest View live

L2TP over IPsec to Microsoft RRAS

November 3, 2016, 12:28 pm
$
0
0

I have a Routing and Remote Access Server behind my SSG and I would like to use it for L2TP VPN. When I try to forward UDP 500 using VIP on my interface, I get a message saying it's not supported, 500 is for management of the box.

 

I'm also currently using site-to-site VPN which I imagine is using port 500 on the same interface. Is this what is stopping me?

 

Would there be any way around this? My goal is to allow clients such as Windows PCs and iOS devices to connect to my network without using a certificate and instead a preshared key -- which RRAS supports.

Search

Remove a VPN Tunnel

November 4, 2016, 5:17 am
$
0
0

Hi,

 

I 'simply' need to remove a VPN tunnel from my SSG 140 firewall.

 

When I go to the VPN>Auto Key and hit rrmove on the tunnel I need to delete, I get the following message...

 

This VPN has tunnel interface binding. Please remove the binding first.

 

I've tried going and unbinding the interface but it;s alerady ser to none.

 

I'm, really stuck, don't want to remove anything that will break existing tunnels.

 

Any help will be greatly apprecuiated.

 

PS. Don;t ask me to go into the CLI, I'm not that confodent with the CLI and worry I'll break something else.

 

Manuy Thanks,

 

Re: Azure Dynamic Gateway VPN - IKEV2_E_AUTH_PAYLOAD_FAILURE - SSG-500

November 4, 2016, 6:34 am
$
0
0

See -  Azure-vpn-config-samples/tree/master/Juniper/Current/SSG

 

or the attachment.

 

It's working for SSG-140 ScreenOS 6.3R21.

 

Don't be worry about these messages, it works either:

 

Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE a.b.c.d Phase 2: No policy exists for the proxy ID received: local ID (172.18.0.0/255.255.0.0, 0, 0) remote ID (192.168.16.0/255.255.255.0, 0, 0). (2016-04-11 13:31:19)

Nov 4 12:31:15 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE V2 a.b.c.d: Received a notification message for 16388 NOTIFY_MSG_NAT_DETECTION_SOURCE_IP. (2016-04-11 13:31:25)
Nov 4 12:31:15 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE V2 a.b.c.d: Received a notification message for 16389 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP. (2016-04-11 13:31:25)

 

#################################################################

 

Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-notification-00017: VPN "MicrosoftAzure" has been bound to tunnel interface NULL. (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-notification-00017: VPN MicrosoftAzure with gateway MicrosoftAzure and P2 proposal compatible has been deleted by admin root via NSRP Peer . (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-notification-00017: Gateway MicrosoftAzure at a.b.c.d in IKE V2 with ID [default peer id] has been deleted by admin root via NSRP Peer . (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-notification-00017: Gateway MicrosoftAzure at a.b.c.d in IKE V2 with ID [default peer id] has been added by admin root via NSRP Peer . (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-notification-00017: VPN MicrosoftAzure with gateway MicrosoftAzure and P2 proposal compatible has been added by admin root via NSRP Peer . (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-notification-00017: VPN "MicrosoftAzure" has been bound to tunnel interface tunnel.2. (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE a.b.c.d Phase 2: No policy exists for the proxy ID received: local ID (172.18.0.0/255.255.0.0, 0, 0) remote ID (192.168.16.0/255.255.255.0, 0, 0). (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-notification-00017: The DF-BIT for VPN MicrosoftAzure has been set to copy. (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKEe.f.g.h a.b.c.d IKESA: Initiated negotiations. (2016-04-11 13:31:19)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE V2 a.b.c.d: Received a notification message for 16388 NOTIFY_MSG_NAT_DETECTION_SOURCE_IP. (2016-04-11 13:31:20)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE V2 a.b.c.d: Received a notification message for 16389 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP. (2016-04-11 13:31:20)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE a.b.c.d CHILD SA with IKE SA INIT: Initiated negotiations. (2016-04-11 13:31:20)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE V2 a.b.c.d: Received a notification message for 12345 Private Use - Errors. (2016-04-11 13:31:20)
Nov 4 12:31:09 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE V2 a.b.c.d:negotiating IKE SA AUTH packet in status IKEV2_STATE_AUTH_I has failed with IKEV2_E_NOTIFY_UNKNOWN_ERR_CODE. (2016-04-11 13:31:20)
Nov 4 12:31:15 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE a.b.c.d IKESA: Responder starts negotiations. (2016-04-11 13:31:25)
Nov 4 12:31:15 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE V2 a.b.c.d: Received a notification message for 16388 NOTIFY_MSG_NAT_DETECTION_SOURCE_IP. (2016-04-11 13:31:25)
Nov 4 12:31:15 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE V2 a.b.c.d: Received a notification message for 16389 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP. (2016-04-11 13:31:25)
Nov 4 12:31:15 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE a.b.c.d CHILD SA with IKE SA INIT: Initiated negotiations. (2016-04-11 13:31:25)
Nov 4 12:31:15 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE a.b.c.d IKESA : Completed IKESA negotiations with IKE SA AUTH. (2016-04-11 13:31:25)
Nov 4 12:31:15 aaaaaaaa: NetScreen device_id=aaaaaaaa [Root]system-information-00536: IKE a.b.c.d child sa with IKE SA AUTH: Completed negotiations with SPI 05d30760, tunnel ID 159, and lifetime 3600 seconds/0 KB. (2016-04-11 13:31:25)

MIP on one of the trust network IP device for DMZ access

November 5, 2016, 7:08 am
$
0
0

Hello,

       It a SG140 FW. I have a device in trust network which I want it to be seen by DMZ device by using MIP 1 to 1. I don't want to use any routing between DMZ and trust network. Anyway to do it?Example of IP below.

0/0 Trust Network = 192.168.1.254 

0/1 DMZ network = 10.1.1.254

Actual trust network IP device=192.168.1.10. I want to map this IP to 10.1.1.250. So my device in DMZ can ping 10.1.1.250 which are refering to 192.168.1.10 host.

Appreciate any advise.

 

 

 

Re: L2TP over IPsec to Microsoft RRAS

November 6, 2016, 4:36 am
$
0
0

The issue is that only one device can use a specific ip address & port combination at a time.  Since the SSG is using this port you cannot forward it to another device.  

 

Since this is a protocol standard port for the l2tp connection you also can't just change and use a different port.

 

So in this situation you have to have a second ip address for  the second device.  If you have a second address in your ip allocation from your ISP you can use destination NAT to forward that address and port to your MS server.  

 

If you only have one address, contact your ISP and ask about switching your account parameters to allocate a larger subnet.

Re: Remove a VPN Tunnel

November 6, 2016, 4:58 am
$
0
0

You would remove the AutoKey IKE object first, I suspect this is still there.

 

Then remove the tunnel binding from the Autokey Advanced > Gateway

Then remove the Autokey Advanced > gateway object itself.

 

You may also have routes pointing towards the tunnel interface

Nework > Routing > Destination

 

Then when these are gone you should be able to remove the no longer used tunnel interface itself

Network > Interfaces > List

 

You will probably also have security rules in Policy > Policies that will then no longer be needed that allowed the traffic

Re: MIP on one of the trust network IP device for DMZ access

November 6, 2016, 5:08 am
$
0
0

I don't see why this would not work.  A little unusual application, but the feature seems to apply.

 

Create the MIP on the DMZ interface

Create the policy from "any" address or the specific ones you want in the DMZ to the MIP object destination in the Trust zone

Re: MIP on one of the trust network IP device for DMZ access

November 7, 2016, 4:47 am
$
0
0

Thanks for your feedback.

Yes it special request for this to work on in such a way.

 

I did on what you mentioned on the DMZ interface create the MIP as below

MAPPED IP is 10.1.1.250

Host IP is = 192.168.1.10

MASK = 255.255.255.255

On the policy level just for testing purposes. I allow "ANY ANY" from DMZ to TRUST & TRUST to DMZ "ANY ANY".

I still NOT able to ping 10.1.1.250 NATTED IP from my DMZ network.

 

On contrast and weirdness

I created MIP on Trust interface

MAPPED IP is 10.1.1.250

Host IP is = 192.168.1.10

MASK = 255.255.255.255

Policy level same for testing purposes "ANY ANY" from DMZ to TRUST & TRUST to DMZ "ANY ANY".

I CAN to ping 10.1.1.250 NATTED IP from TRUST  network.

 

BTW my DMZ interface is routed  mode & my TRUST interface is NAT mode not sure if it make any difference.

Search

Re: MIP on one of the trust network IP device for DMZ access

November 7, 2016, 2:25 pm
$
0
0

You have the use the MIP object on the Trust side of the policy to be sure to involk the translation, not the "any" object.

SSG Firewall log compression transfer.

November 7, 2016, 6:23 pm
$
0
0

Hi,

 

On the ssg 550 firewall,

 

Ftp or otherwise

Can I send the log to another server as a compressed file?

 

Please answer me.

 

Thank you.

Re: MIP on one of the trust network IP device for DMZ access

November 8, 2016, 1:13 am
$
0
0

Hello thanks for the feedback.

 

Tried on it still no luck. Policy as below.

Trust (source-any)  DMZ(destination-MIP 10.1.1.250) permit.

DMZ(destination-MIP 10.1.1.250) Trust (source-any) permit.

 

Re: MIP on one of the trust network IP device for DMZ access

November 8, 2016, 2:31 am
$
0
0

Sorry for the confustion, but you have the policy backwards.

 

Your policy should be any device in the DMZ zone and your MIP is the server in your Trust zone.

Re: MIP on one of the trust network IP device for DMZ access

November 8, 2016, 5:00 am
$
0
0

Sweet child of mine!!!!!!!!!!!!!!!!!! Works!

 

SSG5 Performance Issues

November 8, 2016, 2:22 pm
$
0
0

Hello New to the foruma.  I have issue when trying to transfer larger files like 2 to 3 Mbps through different zones in the SSG5.  I did a get inter eth0/3 and see below it shows a half-duplex connection.  What is really weird is I dont see any collisions on the interfaces just bad performance.  I am connecting to a HP HP V1910-48G Switch.  I am pretty sure that the performance I am getting when copying between zones is from the half duplex..  My transfer rates are like 300Kbps but if I dont go through the firewall and both devices are in the same zone it is lighing fast.  Can anyone help should there be collisions that show up?

 

Interface ethernet0/3(VSI):
description ethernet0/3
number 7, if_info 2856, if_index 0, mode route
link inactive, phy-link up/half-duplex
status change:1, last change:09/12/2016 04:04:14
vsys Root, zone Logicor, vr trust-vr, vsd 0

 

Re: SSG5 Performance Issues

November 8, 2016, 8:11 pm
$
0
0

Hi ,

 

You can experience the latency due to incorrect duplex settings . I would suggest you to configure the interface e0/3 to full duplex and also change the duplex of HP HP V1910-48G switch to full duplex. I would like to inform you that you can observe a interface flap which can drop the traffic when you change the duplex settings of the interface.

 

Please refer the below mentioned command to change the duplex settings:

 

# set interface <interface name> phy <full/half> <Speed>

#  set int e0/3 phy full 100mb

 

Please refer the below mentioned KB article for the detailed infromation :

https://kb.juniper.net/InfoCenter/index?page=content&id=KB5453&smlogin=true&actp=search

 

Let me know if this resolves the performance issue or not.

 

Regards,

Rishi 

Search

Re: SSG5 Performance Issues

November 9, 2016, 3:27 am
$
0
0

I frequently see this happen when one side of a link is half duplex.  You will not see the errors on the one side but the other side will show lots of errors.  I suspect the switch port would show the errors in your case.

[ASK] apply pbr on sub interface Juniper ssg550

November 9, 2016, 5:13 am
$
0
0

Hi,

 

I about to configure PBR on my customer ssg550 production device,

so it seems i need apply the PBR on subinterface.

 

is anyone has ever tried configure PBR and apply it on subinterface?

is this will work? because i doesn't have ssg device to test and make sure it 

 

Thank you

Re: SSG Firewall log compression transfer.

November 9, 2016, 6:05 am
$
0
0

Hi Tae,

 

You will not able to able send the log file as a compressed file from firewall.The logs file can be saved to TFTP server in .txt fomat. For Example, You can try to save the output of the get commands following the below command:

 

Eg. get session > tftp <IP-Address> <Filename>

Eg. get db str > tftp <IP-Address> <Filename>

 

Regards,

Rishi Surana

Re: [ASK] apply pbr on sub interface Juniper ssg550

November 9, 2016, 6:30 am
$
0
0

Hi Rajas,

 

You can apply PBR configuration on subinterface. It should work without any issues. You can take reference of the below mentioned configuration which I tried in lab:

 

Sample Configuration:

 

1. <Access List configuration>

set access-list extended 1 src-ip 1.1.1.1/32 dst-ip 2.2.2.2/32 protocol any entry 1

 

2. <Match Group>
set match-group name Test
set match-group Test ext-acl 1 match-entry 1

 

3. <Action Group>
set action-group name Test-Action-Group
set action-group Test-Action-Group next-interface ethernet0/1 next-hop 3.3.3.3 action-entry 1

 

4. <Policy configuration>
set pbr policy name Test_Policy
set pbr policy Test_Policy match-group Test action-group Test-Action-Group 1

 

5. <Binding the policy on the interface>
set interface ethernet0/0.1 pbr Test_Policy

 

Please let me know if you are facing any issues.

 

Regards,

Rishi Surana

 

Re: SSG140 Different Interface Routing and VLANs

November 9, 2016, 7:39 am
$
0
0

Thank you Gokul, this worked well.  Apologies for taking so long is accepting the solution.

Viewing all 2577 articles
Browse latest View live
Search