Connecting to SSG5 (ipsec tunnel) using any FOSS solution

Connecting to SSG5 (ipsec tunnel) using any FOSS solution

Boris shtrasman borissh1983 at gmail.com
Mon Mar 21 10:11:03 IST 2011 

Hi,

I'm behind NAT (and diffrent exit point each time) , And need to connect to
a lab with a SSG5 juniper gateway.
The solution I'm asking for is a FOSS solution (one that can be downloaded
from debian/centos reps.).

Followed
http://www.bluetrait.com/archive/2006/09/27/racoon-to-netscreen-vpn-dialup/and
http://www.linuxpoweruser.com/?p=53 but without any sucess (stuck on phase
1).

racoon conf:

<start>

#
# NOTE: This file will not be used if you use racoon-tool(8) to manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
# of this file.
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";


# Remote host
remote  SSG5_PUBLIC_IP
{
exchange_mode aggressive;

my_identifier user_fqdn "IKE_User"; #taken from IKE_USER field

lifetime time 28800 sec;
proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group modp1024;
}
}

sainfo anonymous
{
    pfs_group modp1024;
    lifetime time 3600 sec;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}


<end>

my ipsec.tools:
In the lab the ips are 192.168.1.X on my nat they are 192.168.0.X
MY_PUBLICIP is an IPv4 recived from the ISP.
LABIP is a static IPv4.

<begin>

#!/usr/sbin/setkey -vvf

flush;
spdflush;

#outbound
spdadd MY_PUBLICIP 192.168.1.0/24 any
-P out ipsec esp/tunnel/MY_PUBLICIP-LABIP/require;

#inbound
spdadd 192.168.1.0/24 MY_PUBLICIP any
-P in ipsec esp/tunnel/LABIP-MY_PUBLICIP/require;

<end>

I have and SPD file (just hton the address to get the ip values from a
dword) used by netscreenremote.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110321/b045f5d1/attachment.html>

More information about the Linux-il mailing list