Hi Andreas, Thank you for your prompt repsonse! when I added the following item:
leftsourceip=%config and can be see one payload [CP] will be added into the message, but it seems that Juniper SSG 550M can not handle this CP payload and the procedure can not be completed. Therefore, I don't sure if this issue caused by this unset configuration items. please help to check further, thanks again! Best wishes, david morris 2010/9/18 Andreas Steffen <[email protected]> > Hi David, > > I you want the Juniper SSG 550M to allocate an inner IP address, > then you must specify > > leftsourceip=%config > > in the conn FAP0 definition. As always a strongSwan log would > help in identifying any connection setup problems. > > Best regards > > Andreas > > > On 09/18/2010 08:04 AM, David Deng wrote: > >> Hi Martin, Hi All, >> I configured strongswan with following items and tried to interoperate >> with Juniper SSG 550M, but I found no inner IP can be allocated from >> Juniper SSG 550M and the link always indicated as "down" while the SA >> status was "Active". >> THE CONFIGURATION of STRONGSWAN is: >> 1) IPSEC.CONF >> config setup >> strictcrlpolicy=no >> plutostart=no >> conn %default >> ike=3des-sha1-modp1024! >> esp=3des-sha1! >> ikelifetime=1440m >> keylife=24m >> rekeymargin=3m >> keyingtries=%forever >> reauth=no >> keyexchange=ikev2 >> pfs=yes >> authby=secret >> conn FAP0 >> left=172.19.2.169 >> [email protected] >> leftfirewall=yes >> right=172.19.2.199 >> rightsubnet=0.0.0.0/0 >> auto=add >> 2) ipsec.secrets >> # /etc/ipsec.secrets - strongswan IPsec secrets file >> [email protected] : PSK PBRVPN0 >> IN JUNIPER SSG 550 >> 1) I create one dailup user and configure the gateway and IKE with >> authenticate as PSK and IKEv2 used. and then I configure one policy for >> it. >> 2) configuration of Juniper SSG 550 listed as followed: >> set clock timezone 0 >> set vrouter trust-vr sharable >> set vrouter "untrust-vr" >> exit >> set vrouter "trust-vr" >> unset auto-route-export >> exit >> set alg appleichat enable >> unset alg appleichat re-assembly enable >> set alg sctp enable >> set auth-server "Local" id 0 >> set auth-server "Local" server-name "Local" >> set auth default auth server "Local" >> set auth radius accounting port 1646 >> set admin name "netscreen" >> set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn" >> set admin auth web timeout 10 >> set admin auth server "Local" >> set admin format dos >> set zone "Trust" vrouter "trust-vr" >> set zone "Untrust" vrouter "trust-vr" >> set zone "DMZ" vrouter "trust-vr" >> set zone "VLAN" vrouter "trust-vr" >> set zone "Untrust-Tun" vrouter "trust-vr" >> set zone "Trust" tcp-rst >> set zone "Untrust" block >> unset zone "Untrust" tcp-rst >> set zone "MGT" block >> set zone "DMZ" tcp-rst >> set zone "VLAN" block >> unset zone "VLAN" tcp-rst >> set zone "Untrust" screen tear-drop >> set zone "Untrust" screen syn-flood >> set zone "Untrust" screen ping-death >> set zone "Untrust" screen ip-filter-src >> set zone "Untrust" screen land >> set zone "V1-Untrust" screen tear-drop >> set zone "V1-Untrust" screen syn-flood >> set zone "V1-Untrust" screen ping-death >> set zone "V1-Untrust" screen ip-filter-src >> set zone "V1-Untrust" screen land >> set interface "ethernet0/0" zone "Trust" >> set interface "ethernet0/1" zone "Trust" >> set interface "ethernet0/2" zone "Untrust" >> set interface "ethernet0/3" zone "Trust" >> set interface "tunnel.1" zone "Trust" >> set interface ethernet0/0 ip 192.168.1.1/24 <http://192.168.1.1/24> >> >> set interface ethernet0/0 route >> unset interface vlan1 ip >> set interface ethernet0/1 ip 192.168.52.253/24 <http://192.168.52.253/24> >> >> >> set interface ethernet0/1 nat >> set interface ethernet0/2 ip 172.19.2.199/24 <http://172.19.2.199/24> >> >> set interface ethernet0/2 route >> set interface ethernet0/3 ip 192.168.54.253/24 <http://192.168.54.253/24> >> >> >> set interface ethernet0/3 nat >> set interface tunnel.1 ip unnumbered interface ethernet0/2 >> set interface ethernet0/2 bandwidth egress mbw 5000 ingress mbw 5000 >> set interface tunnel.1 mtu 1500 >> set interface "ethernet0/1" pmtu ipv4 >> unset interface vlan1 bypass-others-ipsec >> unset interface vlan1 bypass-non-ip >> set interface ethernet0/0 ip manageable >> set interface ethernet0/1 ip manageable >> set interface ethernet0/2 ip manageable >> set interface ethernet0/3 ip manageable >> set interface ethernet0/1 manage ident-reset >> set interface ethernet0/2 manage ping >> set interface ethernet0/2 manage snmp >> set interface ethernet0/2 manage ssl >> set interface ethernet0/2 manage web >> unset interface ethernet0/3 manage ssh >> unset interface ethernet0/3 manage telnet >> unset interface ethernet0/3 manage snmp >> unset interface ethernet0/3 manage ssl >> unset interface ethernet0/3 manage web >> set interface ethernet0/0 dhcp server service >> set interface ethernet0/0 dhcp server enable >> set interface ethernet0/0 dhcp server option lease 1440000 >> set interface ethernet0/0 dhcp server ip 192.168.1.200 to 192.168.1.250 >> set interface ethernet0/0 dhcp server config next-server-ip >> unset interface ethernet0/0 dhcp server config updatable >> unset flow no-tcp-seq-check >> set flow tcp-syn-check >> unset flow tcp-syn-bit-check >> set flow reverse-route clear-text prefer >> set flow reverse-route tunnel always >> set domain zte.com.cn <http://zte.com.cn> >> >> set pki authority default cert-status revocation-check none >> set pki authority default scep mode "auto" >> set pki x509 default cert-path partial >> set pki x509 dn country-name "CN" >> set pki x509 dn local-name "SZ" >> set pki x509 dn org-name "JUNIPER lmt" >> set pki x509 dn org-unit-name "OMS" >> set pki x509 dn name "ssg550m" >> set pki x509 dn email [email protected] <mailto:[email protected]> >> >> set pki x509 dn ip 172.19.2.199 >> set pki x509 default send-to "[email protected] >> <mailto:[email protected]>" >> >> set pki x509 default crl-refresh "daily" >> set pki x509 cert-fqdn ssg550m.juniper.com.cn >> <http://ssg550m.juniper.com.cn> >> >> set dns host dns1 172.19.2.189 src-interface ethernet0/2 >> set dns host dns2 0.0.0.0 >> set dns host dns3 0.0.0.0 >> set address "Trust" "10.1.0.0/16 <http://10.1.0.0/16>" 10.1.0.0 >> 255.255.0.0 >> set address "Trust" "10.10.1.0/24 <http://10.10.1.0/24>" 10.10.1.0 >> 255.255.255.0 >> set address "Trust" "192.168.52.0/24 <http://192.168.52.0/24>" >> >> 192.168.52.0 255.255.255.0 >> set address "Trust" "PBR-NB-intranet" 192.168.1.0 255.255.255.0 >> set address "Untrust" "0.0.0.0/0 <http://0.0.0.0/0>" 0.0.0.0 0.0.0.0 >> set address "Untrust" "192.168.52.250/24 <http://192.168.52.250/24>" >> >> 192.168.52.250 255.255.255.0 >> set user "PBR-USR00" uid 4 >> set user "PBR-USR00" ike-id u-fqdn [email protected] >> <mailto:[email protected]> share-limit 1 >> >> set user "PBR-USR00" type ike >> set user "PBR-USR00" "enable" >> set ike gateway ikev2 "PBR-seGW00" dialup "PBR-USR00" outgoing-interface >> "ethernet0/2" preshare "D2hjHzq+NQYEm8sqF4CL8G1aOznYgJ+iHQ==" proposal >> "pre-g2-3des-sha" >> unset ike gateway ikev2 "PBR-seGW00" nat-traversal >> set ike respond-bad-spi 1 >> set ike gateway ikev2 "PBR-seGW00" auth-method self preshare peer preshare >> set ike ikev2 ike-sa-soft-lifetime 60 >> unset ike ikeid-enumeration >> unset ike dos-protection >> unset ipsec access-session enable >> set ipsec access-session maximum 5000 >> set ipsec access-session upper-threshold 0 >> set ipsec access-session lower-threshold 0 >> set ipsec access-session dead-p2-sa-timeout 0 >> unset ipsec access-session log-error >> unset ipsec access-session info-exch-connected >> unset ipsec access-session use-error-log >> set vpn "PBR-IKE00" gateway "PBR-seGW00" no-replay tunnel idletime 0 >> proposal "nopfs-esp-3des-sha" >> set vpn "PBR-IKE00" monitor >> set vrouter "untrust-vr" >> exit >> set vrouter "trust-vr" >> exit >> set url protocol websense >> exit >> set vpn "PBR-IKE00" proxy-id local-ip 192.168.1.0/24 >> <http://192.168.1.0/24> remote-ip 255.255.255.255/32 >> <http://255.255.255.255/32> "ANY" >> >> set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN" >> "PBR-NB-intranet" "ANY" nat src tunnel vpn "PBR-IKE00" id 0x1 log >> set policy id 1 >> exit >> set policy id 2 from "Trust" to "Untrust" "PBR-NB-intranet" "Any" "ANY" >> permit >> set policy id 2 >> exit >> set nsmgmt bulkcli reboot-timeout 60 >> set ssh version v2 >> set config lock timeout 5 >> unset license-key auto-update >> set snmp port listen 161 >> set snmp port trap 162 >> set vrouter "untrust-vr" >> set router-id 192.168.1.9 >> exit >> set vrouter "trust-vr" >> set router-id 192.168.1.1 >> unset add-default-route >> set route 172.19.2.0/24 <http://172.19.2.0/24> interface tunnel.1 >> >> set action-group name VR2 >> exit >> set vrouter "untrust-vr" >> exit >> set vrouter "trust-vr" >> exit >> please help me check the root cause of this issue. thanks. >> Best Regards, >> David.morris >> > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
