Re: [Users] Success w/Netscreen 5xp

From: Robert Cole (robert_at_support4linux.com)
Date: Tue Aug 20 2002 - 08:11:05 CEST

• Next message: stuart: "[Users] Samba and Freeswan"
• Previous message: abahmane el: "Re: [Users] ipsec configuration !"
• In reply to: eneal_at_bnbtv.com: "[Users] Success w/Netscreen 5xp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks for the tips! I was just about to start work on this config.

Robert

On Monday 19 August 2002 04:53 am, eneal_at_bnbtv.com wrote:
> Hello,
>
> I just wanted to report my success with the netsceen 5xp, screen os version
> 3.0.1 (i think). Setup is freeswan-1.98b with latest alg patches from my
> man juanos's site on a 2.4.18 kernel with the with ebtables
> firewall/bridging patches applied alongside current netfilter patches.
>
> Anyways,
>
> here is my config..
>
> Freeswan
>
> conn me-netscreen2
> left=x.x.x.x/x
> leftsubnet=x.x.x.x/x
> leftnexthop=x.x.x.x/x
> leftid=x.x.x.x/x
> rightsubnet=x.x.x.x/x
> pfs=yes
> auth=esp
> authby=secret
> esp=3des-sha-96
> keyingtries=1
> auto=start
> ike=3des-sha-96
> pfsgroup=modp1536
> #rightupdown=/usr/local/lib/ipsec/custom_updown
>
> on the netscreen
>
> using a custom ph1 and ph2 proposal, 3des, sha1, dh group5 with pfs and
> preshared keys.
>
> I tried using aes but it didnt work for some reason. The logs kept saying
> something about there being a possible preshared key mismatch. Hmph.. I
> will have to do some more testing.
>
> The part where I had the most trouble and didn't realize it till late was
> this. The netscreen has this cool feature where you can create address
> groups, both trusted and untrusted. The network the netscreen is
> firewalling for automatically becomes, a Trusted address named "Inside
> Any". However, it assigns a route of 0.0.0.0 for inside any. Don't use
> this. Make sure you define an Trusted address for your subnet other than
> the "Inside Any". Then create your policy that permits tunneling using the
> subnet you defined and the subnet of the freeswan host.
>
> I hope that helps someone. I did a lot of searching to get this to work.
>
> Also, if anyone wants to know how to get a briding/firewall/vpn up and
> going, I can probably lend a hand I have finally succeded in getting a
> setup like that working for a client.
>
>
> Errol Neal
>
>
>
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: stuart: "[Users] Samba and Freeswan"
• Previous message: abahmane el: "Re: [Users] ipsec configuration !"
• In reply to: eneal_at_bnbtv.com: "[Users] Success w/Netscreen 5xp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 21 2002 - 12:20:10 CEST