Author Topic: Config of VPN Through Juniper Netscreen 5GT? GRE packet  (Read 14943 times)

anco

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Config of VPN Through Juniper Netscreen 5GT? GRE packet
« on: July 14, 2006, 03:17:43 am »
Hello,

I've been trying to configure a Juniper Netscreen 5Gt to pass PPTP traffic to a VPN I set up on Win 2003 SBS. I can connect, and get prompted for a L/P, but then it just hangs. The event log shows an error (Event ID 20209) indicating that GRE packets were unable to pass through the firewall. I found a way to create a custom service for GRE passthru, but this still did not resolve the issue.
The problem is that I can not create a VIP on my untrust interface, because GRE passwthu has multiple ports and I can't select and specific virtual port.

Has anyone sucessfully setup PPTP based VPN through a Netscreen 5GT?

Thanks!


MaxPipeline

  • Hero Member
  • *****
  • Posts: 702
  • Karma: +0/-0
    • View Profile
Re: Config of VPN Through Juniper Netscreen 5GT? GRE packet
« Reply #1 on: August 04, 2006, 01:52:34 pm »
Yes this can work with VIP.  But you have to enable vip multiport.

set vip multi

Then reset the box.  Then create a custom service to allow TCP port 1723 and also IP protocol 47 with port 2048.  Then reference this service in the VIP.  Then ensure your policy references the VIP.
Help us help you.

Have you looked at the documentation?
http://www.juniper.net/techpubs/

Have you checked the Juniper Knowledgebase?
http://kb.juniper.net

bluelinenetworks

  • Newbie
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
    • Blue Line Networks
Re: Config of VPN Through Juniper Netscreen 5GT? GRE packet
« Reply #2 on: May 01, 2008, 11:19:00 pm »
What screenos?  After 5.2 (I think) you have to enable IPSec and GRE through as they arent both included in the service together.

There is a good KB on this, but I forget the number :/
Travis
------------
JNCIA-FW/VPN

mmarsian

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Config of VPN Through Juniper Netscreen 5GT? GRE packet
« Reply #3 on: August 27, 2008, 01:51:49 am »
Hi All,

has anybody finally made it working? I'm currently trying this with NS5GT Screenos 5.4.0r3a.0
but I had no luck up to now. I have created all services and policies that are required and of course vip multiport is on.

Any help?

TIA,
Gunnar.

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: Config of VPN Through Juniper Netscreen 5GT? GRE packet
« Reply #4 on: August 27, 2008, 06:11:29 am »
Can drop a debug output
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI

mmarsian

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Config of VPN Through Juniper Netscreen 5GT? GRE packet
« Reply #5 on: August 28, 2008, 07:42:43 am »
thx very much for the reply. Can you tell me what debug commands i shoud use?

TIA,
Gunnar.

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: Config of VPN Through Juniper Netscreen 5GT? GRE packet
« Reply #6 on: August 28, 2008, 02:25:11 pm »
OK

set ff dst-ip <destination ip>
clear db
debug flow basic
generate traffic (try vpn)
get db stream

would do it.....
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI