Hi Sajal, Hi Andreas, Hi Laurence, Hi All,
Thank you for your useful document and kind help!
Now we have established the IPsec tunnel between seGW(Juniper SSG550M) and
Client, Thanks a lot!
I think there are still a lot problem need your all help. thank in advance!
Best wishes,
David Morris
2010/9/30 Sajal Malhotra sajalmalho...@gmail.com
Hi David,
From what i know this issue of Link Status as down and SA status Active
in Juniper comes when VPN monitoring is not configured or working in
Juniper. Please refer to Juniper documentation on configuration/issues in
VPN monitoring.
http://kb.juniper.net/KB9522
*http://kb.juniper.net/KB9503*
Not sure if this applies to your juniper equipment, but might give some
hint.
BR
Sajal
On Sat, Sep 18, 2010 at 11:34 AM, David Deng
david.live@gmail.comwrote:
Hi Martin, Hi All,
I configured strongswan with following items and tried to interoperate
with Juniper SSG 550M, but I found no inner IP can be allocated from
Juniper SSG 550M and the link always indicated as down while the SA status
was Active.
THE CONFIGURATION of STRONGSWAN is:
1) IPSEC.CONF
config setup
strictcrlpolicy=no
plutostart=no
conn %default
ike=3des-sha1-modp1024!
esp=3des-sha1!
ikelifetime=1440m
keylife=24m
rekeymargin=3m
keyingtries=%forever
reauth=no
keyexchange=ikev2
pfs=yes
authby=secret
conn FAP0
left=172.19.2.169
leftid=...@juniper.com
leftfirewall=yes
right=172.19.2.199
rightsubnet=0.0.0.0/0
auto=add
2) ipsec.secrets
# /etc/ipsec.secrets - strongswan IPsec secrets file
p...@juniper.com : PSK PBRVPN0
IN JUNIPER SSG 550
1) I create one dailup user and configure the gateway and IKE with
authenticate as PSK and IKEv2 used. and then I configure one policy for it.
2) configuration of Juniper SSG 550 listed as followed:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter untrust-vr
exit
set vrouter trust-vr
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server Local id 0
set auth-server Local server-name Local
set auth default auth server Local
set auth radius accounting port 1646
set admin name netscreen
set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
set admin auth web timeout 10
set admin auth server Local
set admin format dos
set zone Trust vrouter trust-vr
set zone Untrust vrouter trust-vr
set zone DMZ vrouter trust-vr
set zone VLAN vrouter trust-vr
set zone Untrust-Tun vrouter trust-vr
set zone Trust tcp-rst
set zone Untrust block
unset zone Untrust tcp-rst
set zone MGT block
set zone DMZ tcp-rst
set zone VLAN block
unset zone VLAN tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface ethernet0/0 zone Trust
set interface ethernet0/1 zone Trust
set interface ethernet0/2 zone Untrust
set interface ethernet0/3 zone Trust
set interface tunnel.1 zone Trust
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.52.253/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 172.19.2.199/24
set interface ethernet0/2 route
set interface ethernet0/3 ip 192.168.54.253/24
set interface ethernet0/3 nat
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface ethernet0/2 bandwidth egress mbw 5000 ingress mbw 5000
set interface tunnel.1 mtu 1500
set interface ethernet0/1 pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
set interface ethernet0/1 manage ident-reset
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
unset interface ethernet0/3 manage ssh
unset interface ethernet0/3 manage telnet
unset interface ethernet0/3 manage snmp
unset interface ethernet0/3 manage ssl
unset interface ethernet0/3 manage web
set interface ethernet0/0 dhcp server service
set interface ethernet0/0 dhcp server enable
set interface ethernet0/0 dhcp server option lease 144
set interface ethernet0/0 dhcp server ip 192.168.1.200 to 192.168.1.250
set interface ethernet0/0 dhcp server config next-server-ip
unset interface ethernet0/0 dhcp server config updatable
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain zte.com.cn