[j-nsp] L2TP-over-IPSec on Netscreen 5GT

Leonardo Souza nomeiodabalada at yahoo.com.br
Fri Sep 14 14:21:34 EDT 2007


Hello there.
   
  I am trying to configure a L2TP-over-IPSec tunnel on Netscreen 5GT, but I am facing some problems.
  I did all configurations according the Juniper site and both IPSec phase 1 and 2 are going ok.
  The logs from Netscreen Remote seem everything ok as well.
  After I setup and start a L2TP connection on Windows 2000, I see ppp authentication fails in Netscreen logs and the connection is torn down just after that. 
  I already changed the registry ProhibitIpSec to 1 on Windows 2000.
  What username should I have to use for the L2TP connection?
   
  Any insight will be appreciated.
   
  Below is the sanitized configuration:
   
  set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "CustomPPTP" protocol 47 src-port 2048-2048 dst-port 2048-2048 
set service "CustomPPTP" + tcp src-port 0-65535 dst-port 1723-1723
set service "SSH-CUSTOM" protocol tcp src-port 0-65535 dst-port 2222-2222
set service "SSH-CUSTOM" + udp src-port 0-65535 dst-port 2222-2222 
set service "CUSTOM-RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "WEB-8080" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "WEB-8080" + udp src-port 0-65535 dst-port 8080-8080 
set auth default auth server "Local" 
set auth radius accounting port 1646
set vip multi-port
set zone "Trust" vrouter "trust-vr" 
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst 
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death 
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death 
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust" 
unset interface vlan1 ip
set interface trust ip a.a.a.a/24
set interface trust nat
set interface untrust ip b.b.b.b/26
set interface untrust route 
set interface untrust bandwidth 400
set interface untrust mtu 1500
set interface untrust proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable 
set interface untrust ip manageable
set interface untrust manage telnet
set interface untrust manage web
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname ns5gt
set dbuf size 64
set dns proxy
set dns proxy enable
set address "Trust" "LAN" a.a.a.1 255.255.255.0
set ippool "ip_pool" 10.10.10.1 10.10.10.20
set user "users" uid 4
set user "users" ike-id u-fqdn " x at x.com" share-limit 1
set user "users" type  auth ike l2tp
set user "users" remote ippool "ip_pool"
set user "users" password "pass" 
set user "users" "enable"
set user "suporte_users" uid 3
set user "suporte_users" ike-id u-fqdn "z at z.com" share-limit 1 
set user "suporte_users" type  auth ike
set user "suporte_users" password "pass"
set user "suporte_users" "enable"
set user-group "group" id 1 
set user-group "group" user "users"
set ike gateway "suporte_gw" dialup "group" Aggr outgoing-interface "untrust" preshare "share" proposal "pre-g2-3des-md5" 
unset ike gateway "suporte_gw" nat-traversal
set ike respond-bad-spi 1
set xauth default ippool "ip_pool"
set xauth default dns1 4.4.4.2
set vpn "vpn_suporte" gateway "suporte_gw" no-replay transport idletime 0 proposal "nopfs-esp-3des-md5" 
set l2tp default dns1 d.d.d.d
set l2tp default dns2 e.e.e.e
set l2tp default ippool "ip_pool"
set l2tp default ppp-auth chap 
set l2tp "tunel" id 1 outgoing-interface untrust keepalive 60
set l2tp "tunel" remote-setting ippool "ip_pool"
set l2tp "tunel" auth server "Local"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set url protocol sc-cpa
exit
set policy id 19 name "dialup-vpn" from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "vpn_suporte" id 2 l2tp "tunel" log 
set policy id 19
exit
set policy id 2 name "LAN-LAB" from "Trust" to "Untrust"  "LAN" "Any" "ANY" permit log traffic gbw 0 priority 7 mbw 350
set policy id 2 
set log session-init
exit
set policy id 14 name "PoolDHCP" from "Trust" to "Untrust"  "Pool-DHCP" "Any" "ANY" permit log traffic gbw 300 priority 7 mbw 300 
set policy id 14
set log session-init
exit
set global-pro policy-manager primary outgoing-interface untrust 
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set config lock timeout 5
set dl-buf size 7340032
set modem speed 115200
set modem retry 3
set modem interval 10 
set modem idle-time 10
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route  0.0.0.0/0 interface untrust gateway f.f.f.f preference 20 permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"


       Flickr agora em português. Você clica, todo mundo vê. Saiba mais.
       Flickr agora em português. Você clica, todo mundo vê. Saiba mais.


More information about the juniper-nsp mailing list