IPSEC with a Juniper appliance on the other end

querdenker

Hi there!

In short: We need to establish an IPSEC-Tunnel to another company. On their side is a Juniper Netscreen (don't ask which model exactly, i just do not know).

The setup is as following:

our LAN                    WAN                                            their GW      their LAN
192.168.210.0/24 <> a.b.c.213/29 : GW a.b.c.209    <->  e.f.g.194 <> o.p.q.r/24

When i try to open the tunnel, everytime the second phase fails with a timeout.
After some tries and building the same configuration with two pfSense-(which works as expected) and parsing logs i'd called them:
They need their LAN-IP as incoming from our side to establish the tunnel. They also told me that this is typical for the Juniper Netscreen.

Of course we could get a ready configured Cisco from them, which will do the work. But that is an option we try to prevent, as this Cisco will become a remote-controlled device in our net.

So if anyone has any ideas how to get this done with a pfSense, i'll try them

thanks in advance, marcus

hoba

Play around with the identifier at the pfSense end. Set it to IP-Adress with the LAN IP of the other end (like they told you). It usually is set to my IP-Adress.

querdenker

Thanks for reply, hoba.

At the moment there is nothing i can do, as the guys at the Netscreen-side are all gone for some vacation. Ok, they'd left one in duty, but that one is engaged at other things.

So i cannot perform anymore tests the next two weeks.

By the way: Is there any kind of big picture, showing  how the different pfSense-parts are working together?

thanks, marcus

hoba

@querdenker:

By the way: Is there any kind of big picture, showing  how the different pfSense-parts are working together?

No and as there will be quite some heavy backend changes below the hood for the next major version (interface rewrite, frontend/backendseperation, … are planned), it doesn't make too much sense too much sense to crank one up now. However, feel free to parse the source and draw your own version  ;)

Rockyboa

Have you succeded in your quest to connect pfSense with a Juniper Netscreen firewall?

Martin

Phobia

I'm also wondering if you got this working.

I am running PFSense 1.0-SNAPSHOT-09-21-06 at home and I have a Netscreen "NS50" here at the office which I'm trying to get it to work with "Dynamic" IP addresses.

I had got it to work by configuring the Netscreen to "Static" with my home IP address as the identifier, but my home ISP has taken to changing my IP address several times / week lately, so I have to update the IP address on the firewall locally each time this changes. (I can't log in remotely as the VPN stops working)

As I provide some remote support, this becomes a challange every time my IP does change.

I've been playing with the "Dynamic" mode on the netscreen.  From the help it says :

"Dynamic IP Address: Select this option and enter the Peer ID of the Dynamic IP Address. This can be an e-mail address, a fully qualified domain name (FQDN), or an IP address."

I've tried all of the above as the Peer ID.  I've of course matched the Peer ID on both sides - Netscreen and PFSense.  Is this incorrect?  Should each be unique?

Anyways … I've fallen back to my static config for now as it at least works.  Dynamic ... not so much.

I would greatly appreciate help with this one.

-- Phob

Phobia

Hi again,

I can't believe it, but I seem to have the "dynamic" mode working as well between my PFSense and Netscreen.

I had to change to aggressive mode from main mode to get the dynamic configuration to work, but everything seems good now.  My Peer ID that works on the PFSense is the "User FQDN" which is the same as an email address. (ie. user@domain.com)  This peer ID is the same on both ends of the tunnel, which was the same as my working static tunnel.

At any rate, I was ready to throw in the towel here… I hope it continues to work after the IP changes again! :)

-- Phob

hoba

Mainmode doesn't work for non static IPs. This has nothing to do with pfSense but rather with how ipsec works.

Phobia

Hi,

Please don't take from my previous message that I was going to throw in the towel with PFSense!  I was referring to the Netscreen if anything.  ;D

Thanks again for a truly wonderful firewall platform!

– Phob

hoba

@Phobia:

Hi,

Please don't take from my previous message that I was going to throw in the towel with PFSense!  I was referring to the Netscreen if anything.  ;D

Thanks again for a truly wonderful firewall platform!

– Phob

No problem at all, just wanted to point out that you need that for tunnels from pfsnese to anything (even another pfSense) if one end is dynamic.  ;D