Ipsec tunnel / openswan <-> juniper ssg5
Posted: February 24th, 2011 | Author: micha | Filed under: debian, it, juniper, linux, networking | Tags: debian, juniper, linux, network, security | No Comments »finally got it working: building a bidirectional ipsec tunnel between a juniper ssg5 and openswan@debian, both sites got static ip adresses
openswan config:
conn juniper_ssg5_01
type=tunnel
authby=secret
auth=esp
pfs=yes
rekey=yes
auto=start
keylife=8h
keyingtries=0
keyexchange=ike
ike=aes256-sha1-modp2048
esp=aes256-sha1
# Linux openswan
leftid=1.1.1.1
left=1.1.1.1 # expernal ip
leftsubnet=10.1.10.0/24
leftsourceip=10.1.10.1
# SSG 5
rightid=2.2.2.2
right=2.2.2.2 # untrust interface
rightsubnet=192.168.10.0/24
juniper screenos config / route based config
set interface "tunnel.2" zone "Untrust"
set ike p1-proposal "g14-esp-aes256-sha" preshare group14 esp aes256 sha-1 second 28800
set ike p2-proposal "g14-esp-aes256-sha" group14 esp aes256 sha-1 second 3600
set ike gateway "Gateway for 10.1.10.0/24" address 1.1.1.1 Main local-id "2.2.2.2" outgoing-interface "ethernet0/0" preshare "mysecretpsk" proposal "g14-esp-aes256-sha"
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal udp-checksum
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal keepalive-frequency 0
set ike accept-all-proposal
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN for 10.1.10.0/24" gateway "Gateway for 10.1.10.0/24" replay tunnel idletime 0 proposal "g14-esp-aes256-sha"
set vpn "VPN for 10.1.10.0/24" id 0x3 bind interface tunnel.2
set vpn "VPN for 10.1.10.0/24" proxy-id local-ip 192.168.10.0/24 remote-ip 10.1.10.0/24 "ANY"
set policy id 34 from "Trust" to "Untrust" "Any" "10.1.10.0/24" "ANY" permit log count
Leave a Reply