Hi David, I you want the Juniper SSG 550M to allocate an inner IP address, then you must specify
leftsourceip=%config in the conn FAP0 definition. As always a strongSwan log would help in identifying any connection setup problems. Best regards Andreas On 09/18/2010 08:04 AM, David Deng wrote: > Hi Martin, Hi All, > I configured strongswan with following items and tried to interoperate > with Juniper SSG 550M, but I found no inner IP can be allocated from > Juniper SSG 550M and the link always indicated as "down" while the SA > status was "Active". > THE CONFIGURATION of STRONGSWAN is: > 1) IPSEC.CONF > config setup > strictcrlpolicy=no > plutostart=no > conn %default > ike=3des-sha1-modp1024! > esp=3des-sha1! > ikelifetime=1440m > keylife=24m > rekeymargin=3m > keyingtries=%forever > reauth=no > keyexchange=ikev2 > pfs=yes > authby=secret > conn FAP0 > left=172.19.2.169 > [email protected] > leftfirewall=yes > right=172.19.2.199 > rightsubnet=0.0.0.0/0 > auto=add > 2) ipsec.secrets > # /etc/ipsec.secrets - strongswan IPsec secrets file > [email protected] : PSK PBRVPN0 > IN JUNIPER SSG 550 > 1) I create one dailup user and configure the gateway and IKE with > authenticate as PSK and IKEv2 used. and then I configure one policy for it. > 2) configuration of Juniper SSG 550 listed as followed: > set clock timezone 0 > set vrouter trust-vr sharable > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > unset auto-route-export > exit > set alg appleichat enable > unset alg appleichat re-assembly enable > set alg sctp enable > set auth-server "Local" id 0 > set auth-server "Local" server-name "Local" > set auth default auth server "Local" > set auth radius accounting port 1646 > set admin name "netscreen" > set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn" > set admin auth web timeout 10 > set admin auth server "Local" > set admin format dos > set zone "Trust" vrouter "trust-vr" > set zone "Untrust" vrouter "trust-vr" > set zone "DMZ" vrouter "trust-vr" > set zone "VLAN" vrouter "trust-vr" > set zone "Untrust-Tun" vrouter "trust-vr" > set zone "Trust" tcp-rst > set zone "Untrust" block > unset zone "Untrust" tcp-rst > set zone "MGT" block > set zone "DMZ" tcp-rst > set zone "VLAN" block > unset zone "VLAN" tcp-rst > set zone "Untrust" screen tear-drop > set zone "Untrust" screen syn-flood > set zone "Untrust" screen ping-death > set zone "Untrust" screen ip-filter-src > set zone "Untrust" screen land > set zone "V1-Untrust" screen tear-drop > set zone "V1-Untrust" screen syn-flood > set zone "V1-Untrust" screen ping-death > set zone "V1-Untrust" screen ip-filter-src > set zone "V1-Untrust" screen land > set interface "ethernet0/0" zone "Trust" > set interface "ethernet0/1" zone "Trust" > set interface "ethernet0/2" zone "Untrust" > set interface "ethernet0/3" zone "Trust" > set interface "tunnel.1" zone "Trust" > set interface ethernet0/0 ip 192.168.1.1/24 <http://192.168.1.1/24> > set interface ethernet0/0 route > unset interface vlan1 ip > set interface ethernet0/1 ip 192.168.52.253/24 <http://192.168.52.253/24> > set interface ethernet0/1 nat > set interface ethernet0/2 ip 172.19.2.199/24 <http://172.19.2.199/24> > set interface ethernet0/2 route > set interface ethernet0/3 ip 192.168.54.253/24 <http://192.168.54.253/24> > set interface ethernet0/3 nat > set interface tunnel.1 ip unnumbered interface ethernet0/2 > set interface ethernet0/2 bandwidth egress mbw 5000 ingress mbw 5000 > set interface tunnel.1 mtu 1500 > set interface "ethernet0/1" pmtu ipv4 > unset interface vlan1 bypass-others-ipsec > unset interface vlan1 bypass-non-ip > set interface ethernet0/0 ip manageable > set interface ethernet0/1 ip manageable > set interface ethernet0/2 ip manageable > set interface ethernet0/3 ip manageable > set interface ethernet0/1 manage ident-reset > set interface ethernet0/2 manage ping > set interface ethernet0/2 manage snmp > set interface ethernet0/2 manage ssl > set interface ethernet0/2 manage web > unset interface ethernet0/3 manage ssh > unset interface ethernet0/3 manage telnet > unset interface ethernet0/3 manage snmp > unset interface ethernet0/3 manage ssl > unset interface ethernet0/3 manage web > set interface ethernet0/0 dhcp server service > set interface ethernet0/0 dhcp server enable > set interface ethernet0/0 dhcp server option lease 1440000 > set interface ethernet0/0 dhcp server ip 192.168.1.200 to 192.168.1.250 > set interface ethernet0/0 dhcp server config next-server-ip > unset interface ethernet0/0 dhcp server config updatable > unset flow no-tcp-seq-check > set flow tcp-syn-check > unset flow tcp-syn-bit-check > set flow reverse-route clear-text prefer > set flow reverse-route tunnel always > set domain zte.com.cn <http://zte.com.cn> > set pki authority default cert-status revocation-check none > set pki authority default scep mode "auto" > set pki x509 default cert-path partial > set pki x509 dn country-name "CN" > set pki x509 dn local-name "SZ" > set pki x509 dn org-name "JUNIPER lmt" > set pki x509 dn org-unit-name "OMS" > set pki x509 dn name "ssg550m" > set pki x509 dn email [email protected] <mailto:[email protected]> > set pki x509 dn ip 172.19.2.199 > set pki x509 default send-to "[email protected] > <mailto:[email protected]>" > set pki x509 default crl-refresh "daily" > set pki x509 cert-fqdn ssg550m.juniper.com.cn > <http://ssg550m.juniper.com.cn> > set dns host dns1 172.19.2.189 src-interface ethernet0/2 > set dns host dns2 0.0.0.0 > set dns host dns3 0.0.0.0 > set address "Trust" "10.1.0.0/16 <http://10.1.0.0/16>" 10.1.0.0 255.255.0.0 > set address "Trust" "10.10.1.0/24 <http://10.10.1.0/24>" 10.10.1.0 > 255.255.255.0 > set address "Trust" "192.168.52.0/24 <http://192.168.52.0/24>" > 192.168.52.0 255.255.255.0 > set address "Trust" "PBR-NB-intranet" 192.168.1.0 255.255.255.0 > set address "Untrust" "0.0.0.0/0 <http://0.0.0.0/0>" 0.0.0.0 0.0.0.0 > set address "Untrust" "192.168.52.250/24 <http://192.168.52.250/24>" > 192.168.52.250 255.255.255.0 > set user "PBR-USR00" uid 4 > set user "PBR-USR00" ike-id u-fqdn [email protected] > <mailto:[email protected]> share-limit 1 > set user "PBR-USR00" type ike > set user "PBR-USR00" "enable" > set ike gateway ikev2 "PBR-seGW00" dialup "PBR-USR00" outgoing-interface > "ethernet0/2" preshare "D2hjHzq+NQYEm8sqF4CL8G1aOznYgJ+iHQ==" proposal > "pre-g2-3des-sha" > unset ike gateway ikev2 "PBR-seGW00" nat-traversal > set ike respond-bad-spi 1 > set ike gateway ikev2 "PBR-seGW00" auth-method self preshare peer preshare > set ike ikev2 ike-sa-soft-lifetime 60 > unset ike ikeid-enumeration > unset ike dos-protection > unset ipsec access-session enable > set ipsec access-session maximum 5000 > set ipsec access-session upper-threshold 0 > set ipsec access-session lower-threshold 0 > set ipsec access-session dead-p2-sa-timeout 0 > unset ipsec access-session log-error > unset ipsec access-session info-exch-connected > unset ipsec access-session use-error-log > set vpn "PBR-IKE00" gateway "PBR-seGW00" no-replay tunnel idletime 0 > proposal "nopfs-esp-3des-sha" > set vpn "PBR-IKE00" monitor > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > exit > set url protocol websense > exit > set vpn "PBR-IKE00" proxy-id local-ip 192.168.1.0/24 > <http://192.168.1.0/24> remote-ip 255.255.255.255/32 > <http://255.255.255.255/32> "ANY" > set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN" > "PBR-NB-intranet" "ANY" nat src tunnel vpn "PBR-IKE00" id 0x1 log > set policy id 1 > exit > set policy id 2 from "Trust" to "Untrust" "PBR-NB-intranet" "Any" "ANY" > permit > set policy id 2 > exit > set nsmgmt bulkcli reboot-timeout 60 > set ssh version v2 > set config lock timeout 5 > unset license-key auto-update > set snmp port listen 161 > set snmp port trap 162 > set vrouter "untrust-vr" > set router-id 192.168.1.9 > exit > set vrouter "trust-vr" > set router-id 192.168.1.1 > unset add-default-route > set route 172.19.2.0/24 <http://172.19.2.0/24> interface tunnel.1 > set action-group name VR2 > exit > set vrouter "untrust-vr" > exit > set vrouter "trust-vr" > exit > please help me check the root cause of this issue. thanks. > Best Regards, > David.morris ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
