[j-nsp] L2TP-over-IPSec on Netscreen 5GT
Leonardo Souza
nomeiodabalada at yahoo.com.br
Fri Sep 14 14:21:34 EDT 2007
Hello there.
I am trying to configure a L2TP-over-IPSec tunnel on Netscreen 5GT, but I am facing some problems.
I did all configurations according the Juniper site and both IPSec phase 1 and 2 are going ok.
The logs from Netscreen Remote seem everything ok as well.
After I setup and start a L2TP connection on Windows 2000, I see ppp authentication fails in Netscreen logs and the connection is torn down just after that.
I already changed the registry ProhibitIpSec to 1 on Windows 2000.
What username should I have to use for the L2TP connection?
Any insight will be appreciated.
Below is the sanitized configuration:
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "CustomPPTP" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "CustomPPTP" + tcp src-port 0-65535 dst-port 1723-1723
set service "SSH-CUSTOM" protocol tcp src-port 0-65535 dst-port 2222-2222
set service "SSH-CUSTOM" + udp src-port 0-65535 dst-port 2222-2222
set service "CUSTOM-RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "WEB-8080" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "WEB-8080" + udp src-port 0-65535 dst-port 8080-8080
set auth default auth server "Local"
set auth radius accounting port 1646
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip a.a.a.a/24
set interface trust nat
set interface untrust ip b.b.b.b/26
set interface untrust route
set interface untrust bandwidth 400
set interface untrust mtu 1500
set interface untrust proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage telnet
set interface untrust manage web
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname ns5gt
set dbuf size 64
set dns proxy
set dns proxy enable
set address "Trust" "LAN" a.a.a.1 255.255.255.0
set ippool "ip_pool" 10.10.10.1 10.10.10.20
set user "users" uid 4
set user "users" ike-id u-fqdn " x at x.com" share-limit 1
set user "users" type auth ike l2tp
set user "users" remote ippool "ip_pool"
set user "users" password "pass"
set user "users" "enable"
set user "suporte_users" uid 3
set user "suporte_users" ike-id u-fqdn "z at z.com" share-limit 1
set user "suporte_users" type auth ike
set user "suporte_users" password "pass"
set user "suporte_users" "enable"
set user-group "group" id 1
set user-group "group" user "users"
set ike gateway "suporte_gw" dialup "group" Aggr outgoing-interface "untrust" preshare "share" proposal "pre-g2-3des-md5"
unset ike gateway "suporte_gw" nat-traversal
set ike respond-bad-spi 1
set xauth default ippool "ip_pool"
set xauth default dns1 4.4.4.2
set vpn "vpn_suporte" gateway "suporte_gw" no-replay transport idletime 0 proposal "nopfs-esp-3des-md5"
set l2tp default dns1 d.d.d.d
set l2tp default dns2 e.e.e.e
set l2tp default ippool "ip_pool"
set l2tp default ppp-auth chap
set l2tp "tunel" id 1 outgoing-interface untrust keepalive 60
set l2tp "tunel" remote-setting ippool "ip_pool"
set l2tp "tunel" auth server "Local"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set url protocol sc-cpa
exit
set policy id 19 name "dialup-vpn" from "Untrust" to "Trust" "Dial-Up VPN" "Any" "ANY" tunnel vpn "vpn_suporte" id 2 l2tp "tunel" log
set policy id 19
exit
set policy id 2 name "LAN-LAB" from "Trust" to "Untrust" "LAN" "Any" "ANY" permit log traffic gbw 0 priority 7 mbw 350
set policy id 2
set log session-init
exit
set policy id 14 name "PoolDHCP" from "Trust" to "Untrust" "Pool-DHCP" "Any" "ANY" permit log traffic gbw 300 priority 7 mbw 300
set policy id 14
set log session-init
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set config lock timeout 5
set dl-buf size 7340032
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway f.f.f.f preference 20 permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
Flickr agora em português. Você clica, todo mundo vê. Saiba mais.
Flickr agora em português. Você clica, todo mundo vê. Saiba mais.
More information about the juniper-nsp
mailing list