Author Topic: NS5GT site-to-site VPN (Free)BSD tunnel  (Read 3539 times)

alancyang

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
NS5GT site-to-site VPN (Free)BSD tunnel
« on: August 27, 2008, 09:54:37 am »
hi, there,

wonder people have experience setting NS5GT site-to-site Freebsd7.0 IPsec VPN tunnel that could shed some light on the configuration settings on both ends. 

thanks in advance!

alan


mindwise

  • Sr. Member
  • ****
  • Posts: 253
  • Karma: +0/-0
    • View Profile
Re: NS5GT site-to-site VPN (Free)BSD tunnel
« Reply #1 on: August 30, 2008, 03:15:02 am »
The netscreen side i should be easy, for the bsd side, perhaps this articles sheds some light:

http://www.freebsd.org/doc/en/books/handbook/ipsec.html

I've never done it, but i think the best method is try to get the bsd side to initiate the tunnel as i expect the netscreen side will give better debug information.

If you get debug info (or just the report entries) we can help further.

They have an inegration doc for checkpoint, which i guess will be quite like the netscreen

Everywhere you see 'blowfish' in the doc, use 3des instead, and i think sha-1 is better used then md5, but md5 is fine too. (use custom proposal on the netscreens to see what proposal (algorithms) it actually uses.

The doc for integration with CP is:
http://www.freebsd.org/doc/en/articles/checkpoint/index.html , it  may contain general pointers valid for netscreen too.

Cheers

alancyang

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: NS5GT site-to-site VPN (Free)BSD tunnel
« Reply #2 on: November 14, 2008, 08:38:38 am »
the topology

     /-----------------------------\                 /-----------------------\
     |   NS5GT                            |                 | FreeBSD                    |
     |  untrust = 192.168.0.101/24 |       ----    | rl0 = 192.168.0.110/24 |
     |  trust = 10.1.0.1/16            |                 | aue0 = 10.3.0.1/16     |
     \-----------------------------/                \-----------------------/

NS5GT configuration:

                   Follow WebUI configuration to
                   1) set interfaces
                   2) set address
                   3) set vpn with preshared key: abc123
                   4) set routes
                   5) set policy

FreeBSD configuration
                   1) create gif0 tunnel, and add route
                   2) setkey for SPD
                   3) start racoon

but getting following errors on NS5GT syslog event when trying to ping from 10.3.0.0 network to 10.1.0.0 network:

rejected an IKE packet on untrust from 192.168.0.110:500 to 192.168.0.101:500 with cookie ... because Phase 1 negotiations failed. (The preshared keys might not match.).

i believe my preshared key setting for both NS5GT in VPN config and FreeBSD racoon are the same.  Attach some relative info used for FreeBSD and racoon.log file with some debug info after single ping packet sent.  Wonder any peculiar can be spot on racoon.log and how next step in debugging.

<psk.txt>
192.168.0.101   abc123   

<setkey.conf>
spdadd 10.3.0.0/16 10.1.0.0/16 any -P out ipsec esp/tunnel/192.168.0.110-192.168.0.101/require ;
spdadd 10.1.0.0/16 10.3.0.0/16 any -P in  ipsec esp/tunnel/192.168.0.101-192.168.0.110/require ;

<racoon.conf>
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

remote 192.168.0.101
{
   exchange_mode main,aggressive;
   # doi ipsec_doi;
   # situation identity_only;

        # my_identifier user_fqdn "alan@genovanetworks.com";
   # peers_identifier user_fqdn "alan@genovanetworks.com";

   # certificate_type x509 "my.cert.pem" "my.key.pem";

   nonce_size 16;
   initial_contact on;
   proposal_check strict;   # obey, strict, or claim

   proposal {
      encryption_algorithm 3des;
      hash_algorithm sha1;
      authentication_method pre_shared_key;
      dh_group 2;
   }
}
sainfo anonymous
{
   pfs_group 2;
   encryption_algorithm 3des;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

<racoon.log>
exceed post char limits, removed

mwdmeyer

  • Full Member
  • ***
  • Posts: 245
  • Karma: +0/-0
    • View Profile
    • Bluetrait
Re: NS5GT site-to-site VPN (Free)BSD tunnel
« Reply #3 on: November 14, 2008, 02:35:02 pm »