[vpn] Phase2 problems with Netscreen 5XP

Lisa Phifer lisa at corecom.com
Wed Nov 21 19:18:20 EST 2001


First, make sure that both your L2TP tunnel and gateway point to the
a user group in which you've created users that have both IKE and L2TP
checked.  Next...

>Now on the Netscreen-Remote, the remote party is set to the IP address of my
>NT server (10.1.1.10) and I specify I'll use a Security Gateway Tunnel with
>the public IP address of the NS5XP box.

Remote party should be the untrusted IP address of NS5XP. "Connect using
Security Gateway" should be unchecked since this is transport mode IPsec.
Also be sure to select Protocol UDP, Port L2TP (1701)


>When I think everything is setup correctly, I ortstart my web browser and 
>point
>it to my NT server (10.1.1.10): http://10.1.1.10

Before sending any HTTP traffic, you need to create and launch a DUN entry
that specifies the username/password of an NS L2TP/IKE user and the
untrusted IP address of the NS5XP. (This is similar to what you used to
do with PPTP, but specify the NS5XP's IP and the SafeNet VPN adapter)

When DUN is launched, it will try to establish the L2TP tunnel to the
NS5XP. That will cause NS-Remote to initiate a transport mode IPsec SA
to carry L2TP. After the L2TP tunnel is up, you can send HTTP through it.
When configured and invoked correctly, you'll see something like:

Initiator = IP ADDR=66.119.27.228 (client), prot = 17 port = 0
Responder = IP ADDR=66.119.27.226 (NS5XP), prot = 17 port = 1701

    instead of what you're seeing now:

Initiator = IP ADDR=66.119.27.228 (client), prot = 0 port = 0
Responder = IP ADDR=10.1.2.10 (your NT?), prot = 0 port = 0

Also,
For dynamic addresses, create an IP pool.  Suggest using a separate IP
block and adding a static route to it over untrusted IF. Then specify
the IP pool in your default L2TP settings.  My advice: get L2TP/IPsec
working first by specifying a static IP in the user's L2TP Remote
Settings, then later configure an IP pool for dynamic assignment.

Lisa


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list