Categories

Bluetrait
        Bluetrait
            Coding
            Geek
            General
            Coding
                PHP
                Bluetrait
                WordPress
                    Plugins
                PHP
                Bluetrait (Program)
            Geek
                Juniper
                Cisco
                IBM N2200 8363
                PCs
                Spam
                IPv6
                Apple
                NetScreen
                Internet
            General
                Uni

Wed, 27 Sep 2006 6:45 PM

Racoon to Netscreen VPN (dialup)

Michael Dale

So last night Bryn's sister's boyfriend (Josh) and I setup a VPN between our two houses. Josh is currently running Gentoo, while I'm using a Netscreen 5GT.

Background

My Place

  • Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
  • Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
  • External Address of 59.167.253.89

Josh's Place

  • Gentoo running Racoon (I think it was installed through the command emerge ipsec)
  • Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)
  • Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)

So I'll go through the process of setting up the dial-up VPN first.

Dial-up VPN (Single PC at Josh's Place accessing my network)

Step 1)

The first step is to setup a dial-up vpn on the Netscreen. I've covered this process here (only do Setting up the Netscreen).

Step 2)

Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).

Step 3)

Setup racoon.conf. Now for this process we used a combination of:

So our config looks like:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/ipsec.conf";

padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;
}

remote 59.167.253.89 {
exchange_mode aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier fqdn "Test.User";
peers_identifier address;
verify_identifier off;
lifetime time 28800 seconds;
initial_contact on;
passive off;
proposal_check obey;
support_mip6 on;
generate_policy off;
nonce_size 16;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

sainfo address 10.0.11.15/32 any address 10.0.0.0/22 any {
pfs_group modp1024;
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

listen {
isakmp 10.0.11.15;
}

log debug2;

Things to note:

  • remote 59.167.253.89 (The ip address of the external interface on my netscreen)
  • exchange_mode aggressive (Remember we set the Netscreen Phase 1 to aggressive)
  • my_identifier fqdn "Test.User" (The IKE Identity)
  • lifetime time 28800 seconds (Phase 1 lifetime)
  • encryption_algorithm des (Phase 1 DES encryption)
  • hash_algorithm md5 (Phase 1 MD5)
  • authentication_method pre_shared_key (We're using a preshared key)
  • dh_group modp1024 (On the netscreen DH Group 2)
  • sainfo address 10.0.11.15/32 any address 10.0.0.0/22 (From Josh's Internal Linux PC ip address to my network. Remember that the dial-up vpn is just for one pc on Josh's side)
  • pfs_group modp1024 (Again DH Group 2)
  • lifetime time 3600 seconds (Phase 2 lifetime)
  • encryption_algorithm des (Phase 2 encryption)
  • authentication_algorithm hmac_md5 (Phase 2 MD5)

Step 4)

Setup ipsec.conf

So our config looks like:

#!/usr/sbin/setkey -f
#nat_traversal=yes
flush;
spdflush;
#out
spdadd 10.0.11.15/32 10.0.0.0/22 any
-P out ipsec esp/tunnel/10.0.11.15-59.167.253.89/require;
#in

spdadd 10.0.0.0/22 10.0.11.15/32 any
-P in ipsec esp/tunnel/59.167.253.89-10.0.11.15/require;

You'll just need to change the IP addresses to suit your setup.

Step 5)

Setup psk.txt.

So our config looks like:

59.167.253.89 our_preshared_key

So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen

Step 6)

Test. Use both ends to debug and test.


Comments

On Sat, 02 Dec 2006 at 6:31 AM, Anonymous wrote

How do you actually initiate the connection from the linux box? Do you use racoonctl?

1: Comment Link

On Sat, 02 Dec 2006 at 4:27 PM, Michael Dale (of michaeldale.com.au) wrote

Pinging the remote network should automatically bring up the link.

2: Comment Link

Comments?

HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.

Message

Name

Email (not shown)

WWW (optional)

Allow contact form email

Remember details