juniper <-> openswan ipsec with multiple subnets again

Posted: July 13th, 2011 | Author: | Filed under: debian, it, juniper, linux, networking | Tags: , , , , | No Comments »

did the upgrade to screenos 6.3r8 – now i got the option to add multiple proxy id`s for the different subnets. everything working fine. also the ipsec dialup setup with multiple subnets via routing based vpn works.

Juniper Side:


set ippool "VPN_POOL" 10.9.9.1 10.9.9.199
set user "xxxx_it_vpn_user" uid 1
set user "xxxx_it_vpn_user" ike-id fqdn "xxxxx-xxx.com" share-limit 10
set user "xxxx_it_vpn_user" type ike xauth
set user "xxxx_it_vpn_user" remote ippool "VPN_POOL"
set user "xxxx_it_vpn_user" password "2K5A017dN/xxxxxxxxxxxxxatJnvePr3CA=="
unset user "xxx_it_vpn_user" type auth
set user "xxx_it_vpn_user" "enable"
set user-group "xxx_vpn_group" id 2
set user-group "xxx_vpn_group" user "xxx_it_vpn_user"
set crypto-policy
exit
set ike p1-proposal "psk_dh_14_aes_256_sha-1" preshare group14 esp aes256 md5 second 28800
set ike p1-proposal "dialin_p1_IKE_Richtlinie" preshare group14 esp aes256 sha-1 second 28800
set ike p2-proposal "p2_aes256_dh14" group14 esp aes256 sha-1 second 3600
set ike p2-proposal "dialin_p2_IPsec_richtlinie" no-pfs esp aes256 sha2-256 second 3600
set ike gateway "Gateway for xxx" address 1xx.xx8.xx.xxx Main local-id "xxx.xx.xxx.xxx" outgoing-interface "ethernet0/0" preshare "N+JyD3AjNRssmXsxxxxxxxxxxxxxxxxxxxxxgpzyo9FxgP2W2iMnRHxthgO1" proposal "psk_dh_14_aes_256_sha-1"
set ike gateway "Gateway for xxx" nat-traversal
unset ike gateway "Gateway for xxx" nat-traversal udp-checksum
set ike gateway "Gateway for xxx" nat-traversal keepalive-frequency 0
set ike gateway "dialin_gateway" dialup "xxx_it_vpn_group" Aggr outgoing-interface "ethernet0/0" preshare "R9wTTVPRNANwRDsPrsCx0qS75QnUYiRp6IXbX0p4UGcoqK65xhEdBjI=" sec-level standard
unset ike gateway "dialin_gateway" nat-traversal udp-checksum
set ike gateway "dialin_gateway" nat-traversal keepalive-frequency 5
set ike gateway "dialin_gateway" xauth server "Local" user-group "xxx_it_vpn_group"
unset ike gateway "dialin_gateway" xauth do-edipi-auth
set ike gateway "Gateway for xxx" address xx.xx.xxx.1xx Main local-id "xxx.xx.xxx.xxx" outgoing-interface "ethernet0/0" preshare "jkuEx66ZNhhWqlsAOmCzY9Xok2nyB3fcsmPs4TCbqAm0zY6raIGjF3joMXoNK8Qot+lxhlDd/Xva" proposal "psk_dh_14_aes_256_sha-1"
set ike gateway "Gateway for xxx" nat-traversal
unset ike gateway "Gateway for xxx" nat-traversal udp-checksum
set ike gateway "Gateway for xxx" nat-traversal keepalive-frequency 0
set ike accept-all-proposal
set ike respond-bad-spi 1
set ike soft-lifetime-buffer 40
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default dns1 192.168.5.10
set xauth default dns2 193.xxx.xxx.x
set vpn "VPN_1_xxx_172.30.35.0/24" gateway "Gateway for xxx" no-replay tunnel idletime 0 proposal "p2_aes256_dh14"
set vpn "VPN_1_xxx_172.30.35.0/24" id 0x3 bind interface tunnel.1
set vpn "dialin_vpn_01" gateway "dialin_gateway" no-replay tunnel idletime 0 sec-level standard
set vpn "dialin_vpn_01" monitor
set vpn "dialin_vpn_01" id 0x6 bind interface tunnel.2
set vpn "dialin_vpn_01" dscp-mark 0
set vpn "VPN_2_xxx_10.77.242.0/25" gateway "Gateway for xxx" no-replay tunnel idletime 0 proposal "p2_aes256_dh14"
set vpn "VPN_2_xxx_10.77.242.0/25" id 0x9 bind interface tunnel.3
set vpn "VPN_2_xxx_10.77.242.0/25" dscp-mark 0
unset interface tunnel.1 acvpn-dynamic-routing
unset interface tunnel.2 acvpn-dynamic-routing
unset interface tunnel.3 acvpn-dynamic-routing
set url protocol websense
exit
set vpn "VPN_1_xxx_172.30.35.0/24" proxy-id check
set vpn "VPN_1_xxx_172.30.35.0/24" proxy-id local-ip 192.168.5.0/24 remote-ip 172.30.35.0/24 "ANY"
set vpn "VPN_1_xxx_172.30.35.0/24" proxy-id local-ip 10.77.241.0/24 remote-ip 172.30.35.0/24 "ANY"
set vpn "VPN_1_xxx_172.30.35.0/24" proxy-id local-ip 192.168.115.0/24 remote-ip 172.30.35.0/24 "ANY"
set vpn "dialin_vpn_01" proxy-id check
set vpn "dialin_vpn_01" proxy-id local-ip 192.168.5.0/24 remote-ip 255.255.255.255/32 "ANY"
set vpn "dialin_vpn_01" proxy-id local-ip 10.77.241.0/24 remote-ip 255.255.255.255/32 "ANY"
set vpn "dialin_vpn_01" proxy-id local-ip 192.168.115.0/24 remote-ip 255.255.255.255/32 "ANY"
set vpn "VPN_2_xxx_10.77.242.0/25" proxy-id check
set vpn "VPN_2_xxx_10.77.242.0/25" proxy-id local-ip 192.168.5.0/24 remote-ip 10.77.242.0/25 "ANY"
set vpn "VPN_2_xxx_10.77.242.0/25" proxy-id local-ip 192.168.115.0/24 remote-ip 10.77.242.0/25 "ANY"
set vpn "VPN_2_xxx_10.77.242.0/25" proxy-id local-ip 10.77.241.0/24 remote-ip 10.77.242.0/25 "ANY"
set route 172.30.35.0/24 interface tunnel.1
set route 10.9.9.0/24 interface tunnel.2
set route 10.77.242.0/25 interface tunnel.3

openswan:
for each subnet one openswan “conn”

conn juniper_ssg5_xxxx_10.77
type=tunnel
authby=secret
auth=esp
pfs=yes
rekey=yes
auto=start
keylife=1h
keyingtries=0
keyexchange=ike
ike=aes256-sha1-modp2048
esp=aes256-sha1
# debian
leftid=2x.xx.xxx.xxx
left=2xx.xx.xxx.xxx
leftsubnet=10.77.242.0/25
#Damit kann man von dieser gw die gw/hosts der Gegenseite pingen
leftsourceip=10.77.242.1
# SSG 5 @ xxxxx
rightid=yyy.yyy.yyy.yyy
right=yyy.yyy.yyy.yyy
rightsubnet=10.77.241.0/24



Leave a Reply

  • You must be logged in to post a
    video comment.