Screen OS

 View Only
last person joined: 9 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  2 Dial up clients originating from 1 ip address

    Posted 07-28-2008 02:17

    Hi All,

     

    Hoping you guys can help..

     

    I have a Juniper SSG-140 firewall. I have about 2 dozen clients connecting using the NetScreen-Remote client version 10.7.7

     

    The remote gateway type for all is “Dialup user” using shared keys. Each user has their own policy.

     

    I have a problem with 2 users who are dialling in from another company, (through an unknown firewall) When there was one users there was no problem connecting. Now that a second user is at that site he cannot get a connection he is getting the following error on his client:

     

    7-25: 16:15:27.859 My Connections\Company - Initiating IKE Phase 1 (IP ADDR=80.169.139.110)

     7-25: 16:15:28.078 My Connections\Company - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)

     7-25: 16:15:43.343 My Connections\Company - message not received! Retransmitting!

     7-25: 16:15:43.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

     7-25: 16:15:58.343 My Connections\Company - message not received! Retransmitting!

     7-25: 16:15:58.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

     7-25: 16:16:13.343 My Connections\Company - message not received! Retransmitting!

     7-25: 16:16:13.343 My Connections\Company - SENDING>>>> ISAKMP OAK AG (Retransmission)

     7-25: 16:16:28.343 My Connections\Company - Exceeded 3 IKE SA negotiation attempts

     

    Could it be that both clients are originating from the same IP (the company’s external ip address) ? If so how do I get around this problem?

     

    Cheers,

     

    Stephen


    #single
    #connection
    #dial
    #address
    #up
    #vpn
    #ip
    #firewall
    #source
    #problem


  • 2.  RE: 2 Dial up clients originating from 1 ip address

    Posted 07-28-2008 02:41

    Hi Stephen,

     

    like most IPSec clients, you'll need to have the clients approach the termination point with a unique ip.

    Reason is source and destination port of UDP 500.

     

    I've seen this in the past with cisco clients also , where (on a ns firewall) a mip was needed per user traversing the firewall using a IPSec client.

     

    Hope this helps

     

    Kind regards

     

    Colin



  • 3.  RE: 2 Dial up clients originating from 1 ip address

    Posted 07-28-2008 03:22

    Hi CB, thanks for your prompt reply.

     

    You will have to forgive my limited knowledge on firewalls and clients I’m a jack of all trades master of none!

     

    Are you saying that’s its not possible in any client configuration to have 2 clients coming from the same IP address?

     

    Cheers,

     

    Stephen



  • 4.  RE: 2 Dial up clients originating from 1 ip address
    Best Answer

    Posted 07-28-2008 04:53

    Try to enable NAT-T in PHASE 1. I had to do that with a Cisco 3000 and I'll assume this will work with Juniper. However I'm like you "jack of all trade master at none" and I'm new to Juniper as well.

     

    Rick 



  • 5.  RE: 2 Dial up clients originating from 1 ip address

    Posted 07-28-2008 04:57

    hi,

     

    u have to enable NAT traversing on SSG. Go to VPN->Autokey Advanced->Edit here check NAT traversal

     

    Hope this helps

     

     



  • 6.  RE: 2 Dial up clients originating from 1 ip address

    Posted 07-28-2008 09:51

    Hi Guys,

     

    Thanks for that it looks like enabling Nat in VPN > Autokey Advanced >  Gateway > edit

     

    Did the trick.

     

    Cheers

     

    Stephen



  • 7.  RE: 2 Dial up clients originating from 1 ip address

     
    Posted 07-28-2008 06:34
    I believe you should create a VPN tunnel between the two networks and apply a policy that allows only those two users access to the tunnel, and your network resources.


  • 8.  RE: 2 Dial up clients originating from 1 ip address

    Posted 09-01-2011 03:06

    I have a question for you, how are you defining a different policy for each user?