Chapter 9
Monitor
The VPN connections monitor is not that great. It can only show the two states, established IPsec tunnel and not up. You only have a choice between dial and drop. It does not show whether Phase 1 is up, or what any error might be. So if you are stuck in Phase 1, you just see not up and you think you can still hit dial. Sometimes the monitor state is also just plain wrong. The IPsec tunnel is up, but the monitor does not know about it. We think this happens mostly (if not only) on the responding end. A ping is more reliable than the monitor. This also happens with Vigor-Vigor connections.
Logs
You cannot find IPsec logs on the device. The only way to get more logs is to enable syslog, which when enabled will send you a lot of syslog information. We do not recommend using the syslog feature over the Internet, since it generates a lot of syslog messages.
Spurious 1DES Requests
Sometimes we have seen 1DES/modp-768 requests even when 1DES was disabled, but these could be due to the web interface's inconsistency with advanced tabs as discussed earlier. Openswan will refuse these requests and both ends will decide on another acceptable proposal.
CIDR Writing Bug
Do not use CIDR notations that specify an IP address instead of the network address in the Remote Network ID setting, as this will not work with the Vigor. So you can use 10.0.2.0/24 but should not use 10.0.2.1/24.
UDP Fragmenting Option
The vigor has an option to allow UDP defragmentation, which can be found at Advanced Setup | IP Filter / Firewall Setup | General Setup. The option is called Accept Incoming Fragmented UDP Packets (for some games, ex. CS).
This option is disabled by default, and could influence IKE behavior when UDP fragmentation happens. This is not particularly likely, however, because the Vigors do not support X.509 Certificates with big RSA keys, which seems to be the main reason for IKE fragmentation. If at some point Vigor supports X.509 Certificates, this option might need to be enabled.
Enabling the IPsec VPN Service
The Vigor has an option to completely enable or disable the entire VPN system at Advanced Setup | VPN and Remote Access Setup | Remote Access Control Setup | IPsec VPN service.
You must enable this option, though you can disable the L2TP and PPTP VPN services in this menu if you do not use those.
NetScreen
(Thanks to Ghislaine Labouret of Hervé Schauer Consultants)
The NetScreen is a very popular router/firewall in North America. It has been acquired by Juniper Networks. There are various models available, usually small form factor, with two or more Ethernet ports on the device. It runs ScreenOS.
225
Interoperating with Other Vendors
The VPN connection configuration menu is where you set whether to use Pre-Shared Key or Certificates, which IKE mode (Main or Aggressive) to use, and the IP address of the remote gateway.
You can set the encapsulation mode (Tunnel or Transport), and the subnet you wish to connect in the Policy Configuration screen.
226
Chapter 9
Known Issues
There have been numerous incompatibilities between ScreenOS and Openswan (and FreeS/WAN) over the years. Ensure you are running the latest version of ScreenOS on your NetScreen device. Also, check the NetScreen release notes, as they contain the latest information about known interoperability bugs. In general, people seem to have had more luck using Aggressive Mode than Main Mode, but we do recommend trying Main Mode first as it is much safer.
If you log in to the NetScreen device using SSH or Telnet, you can use the snoop command and
set debug ike info or debug ike all.
Below is a configuration example for connecting Openswan to NetScreen. First we will show the Openswan side's ipsec.conf:
conn openswan-to-netscreen authby=secret aggrmode=yes ike=3des-sha1-modp1024 left=%defaultroute leftid=@your.host.name right=YourPublicIP
rightsubnet=172.16.20.0/24
auto=start
And the corresponding ipsec.secrets entry:
YourPublicIP @your.host.name : PSK "netscreen"
The NetScreen side is using:
unset hardware wdt-reset set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export set auth-server "Local" id 0
set auth-server "Local" server-name "Local" set auth default auth server "Local"
set admin name "yyyyy"
set admin password "xxxxxx"
set admin manager-ip 192.168.0.0 255.255.0.0
set admin auth timeout 10set zone "Trust" tcp-rst set zone "Untrust" block
unset zone "Untrust" tcp-rst set zone "MGT" block
set zone "VLAN" block set zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust" unset interface vlan1 ip
set interface trust ip 172.31.0.2/26
227
Interoperating with Other Vendors
set interface trust natset interface untrust ip YourPublicIP/26 set interface untrust nat
unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip
set interface trust ip manageable set interface untrust ip manageable set interface untrust manage ping set interface untrust manage ssh
set interface trust dhcp server service set interface trust dhcp server auto
set interface trust dhcp server option gateway 192.168.1.1 set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server ip 192.168.1.100 to 192.168.1.199 set flow tcp-mss
set hostname ns5gt
set address "Trust" "inside net" 172.31.0.0 255.255.255.192 set user "user1" uid 1
set user "user1" ike-id fqdn "your.host.name" share-limit 10 set user "user1" type ike
set user "user1" "enable"
set user-group "outsiders" id 1set ike gateway "outside_gw" dialup "outsiders"
Main outgoing-interface "untrust" seed-preshare "YourPreSharedSecret"
set ike gateway "outside_gw" cert peer-cert-type x509-sig unset ike gateway "outside_gw" nat-traversal
set ike respond-bad-spi 1
set vpn "outside_vpn" gateway "outside_gw" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set pki authority default scep mode "auto" set pki x509 default cert-path partial
set av scan-mgr pattern-update-url http://5gt-t.activeupdate.trendmicro.com:80/activeupdate/server.ini interval 0
set policy id 1 from "Trust" to "Untrust" "inside net" "Any" "ANY" nat src
permit
set policy id 2 from "Untrust" to "Trust" "Dial-Up VPN" "inside net" "ANY"
tunnel vpn "outside_vpn" id 1
set global-pro policy-manager primary outgoing-interface untrust set global-pro policy-manager secondary outgoing-interface untrust set ssh version v2
set ssh enable
set config lock timeout 5 set modem speed 115200 set modem retry 3
set modem interval 10 set modem idle-time 10
set snmp community "public" Read-Write Trap-on traffic version any set snmp port listen 161
set snmp port trap 162
set user-group "outsiders" user "user1" set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set vrouter "untrust-vr"
exit
set vrouter "trust-vr" unset add-default-route
set route 0.0.0.0/0 interface untrust gateway YourPublicIP set route 192.168.255.0/24 interface trust gateway 172.31.0.2
228