Академический Документы
Профессиональный Документы
Культура Документы
Configuration Instructions
for
Juniper Netscreen
Juniper SSG
Lobotomo Software
June 17, 2009
Legal Disclaimer
Contents
Lobotomo Software (subsequently called "Author") reserves the right not to be responsible for the
topicality, correctness, completeness or quality of the information provided. Liability claims regarding
damage caused by the use of any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected. All oers are not-binding and without obligation.
Parts of the document or the complete publication including all oers and information might be
extended, changed or partly or completely deleted by the author without separate announcement.
Referrals
The author is not responsible for any contents referred to or any links to pages of the World Wide Web
in this document. If any damage occurs by the use of information presented there, only the author of
the respective documents or pages might be liable, not the one who has referred or linked to these
documents or pages.
Copyright
The author intended not to use any copyrighted material for the publication or, if not possible, to
indicate the copyright of the respective object. The copyright for any material created by the author is
reserved. Any duplication or use of such diagrams, sounds or texts in other electronic or printed
publications is not permitted without the author's agreement.
Legal force of this disclaimer
This disclaimer is to be regarded as part of this document. If sections or individual formulations of this
text are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact.
Table of contents
Introduction
..........................................................................................................1
Juniper Netscreen Setup
......................................................................................1
Adapt the MTU
...........................................................................................................6
Diagnosis
...............................................................................................................9
Start IPSec
...................................................................................................................9
Reachability Test
..........................................................................................................9
Sample Netscreen
........................................................................................................9
Sample IPSecuritas Log Output
..............................................................................10
Juniper Netscreen
Introduction
This document describes the steps necessary to establish a protected VPN connection between a Mac
client and a Juniper Netscreen firewall. All information in this document is based on the following
assumed network.
Dial-Up or
Broadband
Remote LAN
192.168.215.0/24
Internet
Juniper Netscreen
Roadwarrior
In the main menu, open the Wizards group and click on Route-based VPN. A
new window should open.
Juniper Netscreen
Juniper Netscreen
Juniper Netscreen
Juniper Netscreen
Juniper Netscreen
Juniper Netscreen
IPSecuritas Setup
This section describes the necessary steps to setup IPSecuritas to connect to Juniper Netscreen
firewalls.
Start Wizard
Unless it is already running, you should start IPSecuritas now. Change to Connections menu and
select Edit Connections (or press -E). Start the Wizard by clicking on the following symbol:
Juniper Netscreen
Juniper Netscreen
Diagnosis
Start IPSec
Press the Start Button in IPSecuritas main window. A yellow dot
appears, which should turn green after a few seconds, indicating a
successful connection establishment. The remote LAN should now
be accessible.
Reachability Test
To test reachability of the remote host, open an Terminal Window (Utilities -> Terminal) and enter
the command ping, followed by the Netscreen local IP address. If the tunnel works correctly, a
similar output is displayed:
[MacBook:~] root# ping 192.168.215.1
PING 192.168.215.1 (192.168.215.1): 56 data bytes
64 bytes from 192.168.215.1: icmp_seq=0 ttl=64 time=13.186 ms
64 bytes from 192.168.215.1: icmp_seq=1 ttl=64 time=19.290 ms
64 bytes from 192.168.215.1: icmp_seq=2 ttl=64 time=12.823 ms
Sample Netscreen
The following is a sample log file from the Netscreen after a successful connection establishment:
Juniper Netscreen
Info
Info
Debug
Debug
Debug
Info
Info
Info
Info
APP
APP
APP
APP
APP
IKE
IKE
IKE
IKE
Info
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Info
Info
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
Debug
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
IKE
03000500
10020000
28003200
00000000
26000000
00000000
02000200
00000000
00000000
74020000
03000600
b3010000
01000000
80510100
10
00000000
ff200000
00000000
01000000
00000000
03000500
10020000
1c000d00
00000000
80700000
ff200000
54495f72
20000000
00000000
00000000
10020000
00000000
00030000
00000000
00000000
0a000102
00000000
00000000
00000000
00000000
Juniper Netscreen
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Info
IKE
IKE
Debug
Info
IKE
IKE
===
initiate new phase 1 negotiation: 10.0.1.2[500]<=>84.73.95.114[500]
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
2f2c523a0f56a65a
use ID type of FQDN
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
sockname 10.0.1.2[500]
send packet from 10.0.1.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
11
Juniper Netscreen
Debug
Debug
IKE
IKE
===
416 bytes message received from 84.73.95.114[500] to 10.0.1.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin.
seen nptype=1(sa)
Debug
Debug
IKE
IKE
seen nptype=13(vid)
seen nptype=13(vid)
Debug
Debug
IKE
IKE
seen nptype=13(vid)
seen nptype=4(ke)
Debug
Debug
IKE
IKE
seen nptype=10(nonce)
seen nptype=5(id)
Debug
Debug
IKE
IKE
seen nptype=8(hash)
seen nptype=13(vid)
Debug
Debug
IKE
IKE
seen nptype=130(nat-d)
seen nptype=130(nat-d)
Debug
Debug
IKE
IKE
succeed.
received unknown Vendor ID
Debug
Debug
IKE
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Info
IKE
IKE
Info
Debug
IKE
IKE
total SA len=48
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=2(prop)
succeed.
Debug
Debug
IKE
IKE
proposal #1 len=40
begin.
Debug
Debug
IKE
IKE
seen nptype=3(trns)
succeed.
Debug
Debug
IKE
IKE
transform #1 len=32
type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Debug
Debug
IKE
IKE
encryption(3des)
type=Hash Algorithm, flag=0x8000, lorv=SHA
Debug
Debug
IKE
IKE
hash(sha1)
type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Debug
Debug
IKE
IKE
hmac(modp1024)
type=Authentication Method, flag=0x8000, lorv=pre-shared key
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
pair 1:
0x309400: next=0x0 tnext=0x0
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
trns#=1, trns-id=IKE
type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
(lifetime = 1800:1800)
(lifebyte = 0:0)
12
Juniper Netscreen
Debug
Debug
IKE
IKE
enctype = 3DES-CBC:3DES-CBC
(encklen = 0:0)
Debug
Debug
IKE
IKE
hashtype = SHA:SHA
authmethod = pre-shared key:pre-shared key
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(modp1024)
agreed on pre-shared key auth.
Info
Info
IKE
IKE
Info
Debug
IKE
IKE
Info
Info
IKE
IKE
Debug
Info
IKE
IKE
hash(sha1)
NAT-D payload #0 verified
Info
Info
IKE
IKE
NAT detected: ME
KA list add: 10.0.1.2[4500]->84.73.95.114[4500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Info
Debug
IKE
IKE
couldn't find the proper pskey, try to get one by the peer's address.
the psk found.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
SKEYID computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
SKEYID_d computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
SKEYID_a computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
SKEYID_e computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
hash(sha1)
Debug
Debug
IKE
IKE
len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
00
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hash(sha1)
encryption(3des)
Debug
Debug
IKE
IKE
IV computed:
Debug
Debug
IKE
IKE
226187ef 0572c7ae
HASH received:
Debug
Debug
IKE
IKE
13
Juniper Netscreen
Debug
Debug
IKE
IKE
HASH with:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
011101f4 54495f72
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
generate HASH_I
Debug
Debug
IKE
IKE
HASH with:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Info
IKE
IKE
Info
Debug
IKE
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hash(sha1)
encryption(3des)
Debug
Debug
IKE
IKE
phase2 IV computed:
Debug
Debug
IKE
IKE
23ebc25d bfa1d895
HASH with:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
HASH computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin encryption.
encryption(3des)
14
Juniper Netscreen
Debug
Debug
IKE
IKE
pad length = 4
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
with key:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
23ebc25d bfa1d895
save IV for next:
Debug
Debug
IKE
IKE
f5429c27 75f5ab1a
Debug
Debug
IKE
IKE
encrypted.
Adding NON-ESP marker
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Info
IKE
IKE
IV freed
ISAKMP-SA established 10.0.1.2[4500]-84.73.95.114[4500] spi:2f2c523a0f56a65a:
522a50c42af52311
Jan 21, 19:41:17
Debug
IKE
===
Debug
Debug
APP
IKE
Debug
Info
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hash(sha1)
encryption(3des)
Debug
Debug
IKE
IKE
phase2 IV computed:
Debug
Debug
IKE
IKE
d7a494ea 6065d87f
call pfkey_send_getspi
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(modp1024)
hmac(modp1024)
Debug
Debug
IKE
IKE
hmac(modp1024)
hmac(modp1024)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
IDci:
15
Juniper Netscreen
Debug
Debug
IKE
IKE
01000000 0a000102
IDcr:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
HASH computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
pad length = 8
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
00000000 00000008
encryption(3des)
Debug
Debug
IKE
IKE
with key:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
d7a494ea 6065d87f
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
2545b600 13799918
encrypted.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
sockname 10.0.1.2[4500]
send packet from 10.0.1.2[4500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
16
Juniper Netscreen
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin decryption.
encryption(3des)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
3043a52f 7c3d4355
encryption(3des)
Debug
Debug
IKE
IKE
with key:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
2545b600 13799918
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=8(hash)
seen nptype=1(sa)
Debug
Debug
IKE
IKE
seen nptype=10(nonce)
seen nptype=4(ke)
Debug
Debug
IKE
IKE
seen nptype=5(id)
seen nptype=5(id)
Debug
Debug
IKE
IKE
succeed.
HASH allocated:hbuf->l=288 actual:tlen=256
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
HASH with:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
ffffff00
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
HASH computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
17
Juniper Netscreen
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin.
seen nptype=2(prop)
Debug
Debug
IKE
IKE
succeed.
proposal #1 len=72
Debug
Debug
IKE
IKE
begin.
seen nptype=3(trns)
Debug
Debug
IKE
IKE
seen nptype=3(trns)
succeed.
Debug
Debug
IKE
IKE
transform #1 len=28
type=SA Life Type, flag=0x8000, lorv=seconds
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(modp1024)
transform #2 len=32
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(modp1024)
pair 1:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=2(prop)
succeed.
Debug
Debug
IKE
IKE
proposal #1 len=44
begin.
Debug
Debug
IKE
IKE
seen nptype=3(trns)
succeed.
Debug
Debug
IKE
IKE
transform #1 len=32
type=SA Life Type, flag=0x8000, lorv=seconds
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
pair 1:
0x30a6e0: next=0x0 tnext=0x0
Debug
Warning
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
my single bundle:
(proto_id=ESP spisize=4 spi=06acbfb4 spi_p=00000000 encmode=UDP-Tunnel reqid=0:0)
Debug
Debug
IKE
IKE
Info
Info
IKE
IKE
18
Juniper Netscreen
Debug
Debug
IKE
IKE
matched
===
Debug
Debug
IKE
IKE
HASH(3) generate
HASH with:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
82147b5d 21f4d877 9f
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
HASH computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin encryption.
encryption(3des)
Debug
Debug
IKE
IKE
pad length = 8
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
with key:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
3043a52f 7c3d4355
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
1a6da42f 5a15be29
encrypted.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
sockname 10.0.1.2[4500]
send packet from 10.0.1.2[4500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
82147b5d 21f4d877 9f
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
encryption(3des)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
encklen=192 authklen=160
generating 640 bits of key (dupkeymat=4)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
encryption(3des)
19
Juniper Netscreen
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
encklen=192 authklen=160
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
call pk_sendupdate
encryption(3des)
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
call pfkey_send_update_nat
Debug
Debug
APP
APP
Received SADB message type UPDATE, 84.73.95.114 [4500] -> 10.0.1.2 [4500]
SA change detected
Debug
Debug
APP
IKE
Debug
Debug
IKE
IKE
encryption(3des)
hmac(hmac_sha1)
Debug
Debug
IKE
APP
call pfkey_send_add_nat
Received SADB message type ADD, 10.0.1.2 [4500] -> 84.73.95.114 [4500]
Debug
Debug
APP
APP
SA change detected
Connection Netscreen is up
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
IKE
IKE
Debug
Debug
IKE
IKE
===
get pfkey ADD message
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
APP
===
Send ping packet to 192.168.215.0/24 of connection Netscreen
Debug
Debug
APP
APP
20