Hi all, We got a working setup. We can connect the sunrays to a Juniper.
There is still an issue. We have to add the following firewall rules: set policy id 4 name "VPNsunray" from "Untrust" to "Trust" "Dial-Up VPN IPv4" "Any-IPv4" "ANY" tunnel vpn "sunray-vpn" id 0x4 pair-policy 5 log set policy id 5 name "VPNsunray" from "Trust" to "Untrust" "Any-IPv4" "Dial-Up VPN IPv4" "ANY" tunnel vpn "sunray-vpn" id 0x4 pair-policy 4 log This means that once the sunray has a working vpn, they have access to all subnets. If we modify the firewall rules and limit it to a subnet, we get the following error: IKE<x.x.x.x> Phase 2: No policy exists for the proxy ID received: local ID (<0.0.0.0>/<0.0.0.0>, <0>, <0>) remote ID (<172.16.1.1>/<255.255.255.255>, <0>, <0>). 172.16.1.0 is the range used by the ip-pool. This will be used in a shared environment, so we don't want the sunrays to have access to all subnets. Any help, Wouter On 14/01/09 01:29, "Kent Peacock" <[email protected]> wrote: > For what it's worth, here's my test gateway config. > > Kent > set clock ntp > set clock timezone -8 > set vrouter trust-vr sharable > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > unset auto-route-export > exit > set alg appleichat enable > unset alg appleichat re-assembly enable > set alg sctp enable > set auth-server "Local" id 0 > set auth-server "Local" server-name "Local" > set auth-server "nomad-70" id 1 > set auth-server "nomad-70" server-name "10.6.129.70" > set auth-server "nomad-70" account-type xauth > set auth-server "nomad-70" type securid > set auth-server "nomad-70-rad" id 2 > set auth-server "nomad-70-rad" server-name "10.6.129.70" > set auth-server "nomad-70-rad" account-type xauth > set auth-server "nomad-70-rad" radius port 1812 > set auth-server "nomad-70-rad" radius secret > "YoDMzfXSNDkGhCslq1CbkTf+zon9t/Gbgg==" > set auth-server "nomad-70-rad" radius timeout 10 > set auth default auth server "Local" > set auth radius accounting port 1646 > set admin name "netscreen" > set admin password "nMW4ObrKEUrGcpcGYsuEc4PtvFHy1n" > set admin user "rshipper" password "nN5oBuruBg0Lca2DjslGQNHtIEJ7Pn" privilege > "all" > set admin http redirect > set admin auth web timeout 1000 > set admin auth dial-in timeout 3 > set admin auth server "Local" > set admin privilege read-write > set admin format dos > set zone "Trust" vrouter "trust-vr" > set zone "Untrust" vrouter "trust-vr" > set zone "DMZ" vrouter "trust-vr" > set zone "VLAN" vrouter "trust-vr" > set zone "Untrust-Tun" vrouter "trust-vr" > set zone "Trust" tcp-rst > set zone "Untrust" block > unset zone "Untrust" tcp-rst > set zone "MGT" block > set zone "DMZ" tcp-rst > set zone "VLAN" block > unset zone "VLAN" tcp-rst > set zone "Untrust" screen tear-drop > set zone "Untrust" screen syn-flood > set zone "Untrust" screen ping-death > set zone "Untrust" screen ip-filter-src > set zone "Untrust" screen land > set zone "V1-Untrust" screen tear-drop > set zone "V1-Untrust" screen syn-flood > set zone "V1-Untrust" screen ping-death > set zone "V1-Untrust" screen ip-filter-src > set zone "V1-Untrust" screen land > set interface "ethernet0/0" zone "Untrust" > set interface "ethernet0/1" zone "Null" > set interface "ethernet0/4" zone "Trust" > set interface "wireless0/0" zone "Trust" > set interface "bgroup0" zone "Trust" > set interface "tunnel.1" zone "Trust" > unset interface vlan1 ip > set interface ethernet0/0 ip 192.168.129.5/24 > set interface ethernet0/0 route > set interface ethernet0/4 ip 10.6.129.51/24 > set interface ethernet0/4 nat > set interface wireless0/0 ip 192.168.2.51/24 > set interface wireless0/0 nat > set interface tunnel.1 ip unnumbered interface ethernet0/4 > unset interface vlan1 bypass-others-ipsec > unset interface vlan1 bypass-non-ip > unset interface ethernet0/0 ip manageable > set interface ethernet0/4 ip manageable > set interface wireless0/0 ip manageable > set interface ethernet0/0 manage ping > unset interface ethernet0/4 manage ssh > unset interface ethernet0/4 manage snmp > unset interface bgroup0 manage snmp > set interface bgroup0 manage mtrace > set auth-server "nomad-70-rad" src-interface "ethernet0/4" > set interface wireless0/0 dhcp server service > set interface wireless0/0 dhcp server auto > set interface wireless0/0 dhcp server option dns1 129.145.155.220 > set interface wireless0/0 dhcp server option dns2 129.145.154.118 > unset interface wireless0/0 dhcp server config next-server-ip > set interface "serial0/0" modem settings "USR" init "AT&F" > set interface "serial0/0" modem settings "USR" active > set interface "serial0/0" modem speed 115200 > set interface "serial0/0" modem retry 3 > set interface "serial0/0" modem interval 10 > set interface "serial0/0" modem idle-time 10 > set interface wireless0 wlan 0 > set flow tcp-mss > unset flow tcp-syn-check > unset flow tcp-syn-bit-check > set flow reverse-route clear-text prefer > set flow reverse-route tunnel always > set console page 0 > set domain sfbay.sun.com > set hostname net130-juniper > set dbuf size 4096 > set pki authority default scep mode "auto" > set pki x509 default cert-path partial > set dns host schedule 06:28 > set dns proxy > set dns proxy enable > set dns server-select domain sfbay.sun.com outgoing-interface bgroup0 > primary-server 129.145.155.220 secondary-server 129.145.154.118 > tertiary-server 129.147.9.5 failover > set address "Trust" "nomad-net" 10.6.129.0 255.255.255.0 > set ippool "Remote-VPN-pool" 50.50.131.10 50.50.131.254 > set user "kent" uid 8 > set user "kent" type xauth > set user "kent" remote dns1 "129.145.155.220" > set user "kent" remote dns2 "129.145.155.226" > set user "kent" password "VZvnuDPKNX2t3isDHSCYNN0tkJn3cca3yw==" > unset user "kent" type auth > set user "kent" "enable" > set user "localsrs" uid 7 > set user "localsrs" ike-id u-fqdn "locala...@vpn" share-limit 1 > set user "localsrs" type ike > set user "localsrs" "enable" > set user-group "localgroup" id 4 > set user-group "localgroup" user "kent" > set user-group "localgroup" user "localsrs" > set ike gateway "Gateway for Any" address 172.16.16.2 Aggr local-id "vpn1" > outgoing-interface "ethernet0/0" preshare > "gmSV9W67NkeEoqszsMCSYIqGO5nLxMfyQw==" sec-level standard > set ike gateway "Gateway for Any_0" address 0.0.0.0 id "sunray1" Aggr > outgoing-interface "ethernet0/0" preshare > "4MgWnzblN19K/vs1faC2s0PzeOn3cobNsA==" sec-level standard > set ike gateway "Gateway for Any_0" nat-traversal udp-checksum > set ike gateway "Gateway for Any_0" nat-traversal keepalive-frequency 5 > set ike gateway "sunrays" dialup "localgroup" Aggr outgoing-interface > "ethernet0/0" preshare "Ntmd6HFfNtuWybsY0JCX+OuG/enTRRdXDA==" proposal > "pre-g2-3des-sha" "pre-g2-aes128-sha" > unset ike gateway "sunrays" nat-traversal udp-checksum > set ike gateway "sunrays" nat-traversal keepalive-frequency 5 > set ike gateway "sunrays" xauth server "nomad-70" > unset ike gateway "sunrays" xauth do-edipi-auth > set ike respond-bad-spi 1 > set ike ikev2 ike-sa-soft-lifetime 60 > unset ike ikeid-enumeration > unset ike dos-protection > unset ipsec access-session enable > set ipsec access-session maximum 5000 > set ipsec access-session upper-threshold 0 > set ipsec access-session lower-threshold 0 > set ipsec access-session dead-p2-sa-timeout 0 > unset ipsec access-session log-error > unset ipsec access-session info-exch-connected > unset ipsec access-session use-error-log > set xauth default ippool "Remote-VPN-pool" > set xauth default dns1 129.145.155.220 > set xauth default auth server "nomad-70" > set vpn "VPN for Any" gateway "Gateway for Any" replay tunnel idletime 0 > sec-level standard > set vpn "VPN for Any" id 0x1 bind interface tunnel.1 > set vpn "VPN for Any_0" gateway "Gateway for Any_0" replay tunnel idletime 0 > sec-level standard > set vpn "VPN for Any_0" id 0x3 bind interface tunnel.1 > set vpn "sunray-vpn" gateway "sunrays" replay tunnel idletime 0 proposal > "nopfs-esp-aes128-sha" "nopfs-esp-3des-md5" > set vpn "sunray-vpn" monitor > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > exit > set vpn-group id 1 > set l2tp "L2TP-tunnel" id 2 outgoing-interface ethernet0/0 keepalive 60 > set url protocol websense > exit > set policy id 4 name "VPNsunray" from "Untrust" to "Trust" "Dial-Up VPN IPv4" > "Any-IPv4" "ANY" tunnel vpn "sunray-vpn" id 0x4 pair-policy 5 log > set policy id 4 > exit > set policy id 3 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" permit > log > set policy id 3 > exit > set policy id 5 name "VPNsunray" from "Trust" to "Untrust" "Any-IPv4" > "Dial-Up VPN IPv4" "ANY" tunnel vpn "sunray-vpn" id 0x4 pair-policy 4 log > set policy id 5 > exit > set policy id 2 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" permit > log > set policy id 2 > exit > set nsmgmt bulkcli reboot-timeout 60 > set ssh version v2 > set ssh enable > set config lock timeout 5 > unset license-key auto-update > set wlan 0 channel auto > set wlan 1 channel auto > set ssid name juniper > set ssid juniper authentication wpa-psk passphrase > og6NfdGTN6u18LsUROCJVPxL4+nWxNt1uQ== encryption auto > set ssid juniper interface wireless0 > set snmp port listen 161 > set snmp port trap 162 > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > unset add-default-route > set route 50.50.130.0/24 interface ethernet0/0 preference 20 > exit > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > exit _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
