On 01/19/09 06:15, Wouter Coppens wrote:
Hi all,
We got a working setup. We can connect the sunrays to a Juniper.
There is still an issue. We have to add the following firewall rules:
set policy id 4 name "VPNsunray" from "Untrust" to "Trust" "Dial-Up VPN
IPv4" "Any-IPv4" "ANY" tunnel vpn "sunray-vpn" id 0x4 pair-policy 5 log
set policy id 5 name "VPNsunray" from "Trust" to "Untrust" "Any-IPv4"
"Dial-Up VPN IPv4" "ANY" tunnel vpn "sunray-vpn" id 0x4 pair-policy 4 log
This means that once the sunray has a working vpn, they have access to all
subnets.
I'm guessing you can probably figure out how to filter the Sun Ray
traffic, but that is a Juniper issue beyond my expertise.
Kent
If we modify the firewall rules and limit it to a subnet, we get the
following error:
IKE<x.x.x.x> Phase 2: No policy exists for the proxy ID received: local ID
(<0.0.0.0>/<0.0.0.0>, <0>, <0>) remote ID (<172.16.1.1>/<255.255.255.255>,
<0>, <0>).
172.16.1.0 is the range used by the ip-pool.
This will be used in a shared environment, so we don't want the sunrays to
have access to all subnets.
Any help,
Wouter
On 14/01/09 01:29, "Kent Peacock" <[email protected]> wrote:
For what it's worth, here's my test gateway config.
Kent
set clock ntp
set clock timezone -8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "nomad-70" id 1
set auth-server "nomad-70" server-name "10.6.129.70"
set auth-server "nomad-70" account-type xauth
set auth-server "nomad-70" type securid
set auth-server "nomad-70-rad" id 2
set auth-server "nomad-70-rad" server-name "10.6.129.70"
set auth-server "nomad-70-rad" account-type xauth
set auth-server "nomad-70-rad" radius port 1812
set auth-server "nomad-70-rad" radius secret
"YoDMzfXSNDkGhCslq1CbkTf+zon9t/Gbgg=="
set auth-server "nomad-70-rad" radius timeout 10
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nMW4ObrKEUrGcpcGYsuEc4PtvFHy1n"
set admin user "rshipper" password "nN5oBuruBg0Lca2DjslGQNHtIEJ7Pn" privilege
"all"
set admin http redirect
set admin auth web timeout 1000
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/4" zone "Trust"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Trust"
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.129.5/24
set interface ethernet0/0 route
set interface ethernet0/4 ip 10.6.129.51/24
set interface ethernet0/4 nat
set interface wireless0/0 ip 192.168.2.51/24
set interface wireless0/0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface ethernet0/0 ip manageable
set interface ethernet0/4 ip manageable
set interface wireless0/0 ip manageable
set interface ethernet0/0 manage ping
unset interface ethernet0/4 manage ssh
unset interface ethernet0/4 manage snmp
unset interface bgroup0 manage snmp
set interface bgroup0 manage mtrace
set auth-server "nomad-70-rad" src-interface "ethernet0/4"
set interface wireless0/0 dhcp server service
set interface wireless0/0 dhcp server auto
set interface wireless0/0 dhcp server option dns1 129.145.155.220
set interface wireless0/0 dhcp server option dns2 129.145.154.118
unset interface wireless0/0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set interface wireless0 wlan 0
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console page 0
set domain sfbay.sun.com
set hostname net130-juniper
set dbuf size 4096
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host schedule 06:28
set dns proxy
set dns proxy enable
set dns server-select domain sfbay.sun.com outgoing-interface bgroup0
primary-server 129.145.155.220 secondary-server 129.145.154.118
tertiary-server 129.147.9.5 failover
set address "Trust" "nomad-net" 10.6.129.0 255.255.255.0
set ippool "Remote-VPN-pool" 50.50.131.10 50.50.131.254
set user "kent" uid 8
set user "kent" type xauth
set user "kent" remote dns1 "129.145.155.220"
set user "kent" remote dns2 "129.145.155.226"
set user "kent" password "VZvnuDPKNX2t3isDHSCYNN0tkJn3cca3yw=="
unset user "kent" type auth
set user "kent" "enable"
set user "localsrs" uid 7
set user "localsrs" ike-id u-fqdn "locala...@vpn" share-limit 1
set user "localsrs" type ike
set user "localsrs" "enable"
set user-group "localgroup" id 4
set user-group "localgroup" user "kent"
set user-group "localgroup" user "localsrs"
set ike gateway "Gateway for Any" address 172.16.16.2 Aggr local-id "vpn1"
outgoing-interface "ethernet0/0" preshare
"gmSV9W67NkeEoqszsMCSYIqGO5nLxMfyQw==" sec-level standard
set ike gateway "Gateway for Any_0" address 0.0.0.0 id "sunray1" Aggr
outgoing-interface "ethernet0/0" preshare
"4MgWnzblN19K/vs1faC2s0PzeOn3cobNsA==" sec-level standard
set ike gateway "Gateway for Any_0" nat-traversal udp-checksum
set ike gateway "Gateway for Any_0" nat-traversal keepalive-frequency 5
set ike gateway "sunrays" dialup "localgroup" Aggr outgoing-interface
"ethernet0/0" preshare "Ntmd6HFfNtuWybsY0JCX+OuG/enTRRdXDA==" proposal
"pre-g2-3des-sha" "pre-g2-aes128-sha"
unset ike gateway "sunrays" nat-traversal udp-checksum
set ike gateway "sunrays" nat-traversal keepalive-frequency 5
set ike gateway "sunrays" xauth server "nomad-70"
unset ike gateway "sunrays" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "Remote-VPN-pool"
set xauth default dns1 129.145.155.220
set xauth default auth server "nomad-70"
set vpn "VPN for Any" gateway "Gateway for Any" replay tunnel idletime 0
sec-level standard
set vpn "VPN for Any" id 0x1 bind interface tunnel.1
set vpn "VPN for Any_0" gateway "Gateway for Any_0" replay tunnel idletime 0
sec-level standard
set vpn "VPN for Any_0" id 0x3 bind interface tunnel.1
set vpn "sunray-vpn" gateway "sunrays" replay tunnel idletime 0 proposal
"nopfs-esp-aes128-sha" "nopfs-esp-3des-md5"
set vpn "sunray-vpn" monitor
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vpn-group id 1
set l2tp "L2TP-tunnel" id 2 outgoing-interface ethernet0/0 keepalive 60
set url protocol websense
exit
set policy id 4 name "VPNsunray" from "Untrust" to "Trust" "Dial-Up VPN IPv4"
"Any-IPv4" "ANY" tunnel vpn "sunray-vpn" id 0x4 pair-policy 5 log
set policy id 4
exit
set policy id 3 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" permit
log
set policy id 3
exit
set policy id 5 name "VPNsunray" from "Trust" to "Untrust" "Any-IPv4"
"Dial-Up VPN IPv4" "ANY" tunnel vpn "sunray-vpn" id 0x4 pair-policy 4 log
set policy id 5
exit
set policy id 2 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" permit
log
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set wlan 0 channel auto
set wlan 1 channel auto
set ssid name juniper
set ssid juniper authentication wpa-psk passphrase
og6NfdGTN6u18LsUROCJVPxL4+nWxNt1uQ== encryption auto
set ssid juniper interface wireless0
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 50.50.130.0/24 interface ethernet0/0 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
