Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 30 November 2024, 03:04:54 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Endian <-> Juniper IPSec VPN tunnel
0 Members and 4 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Endian <-> Juniper IPSec VPN tunnel  (Read 20625 times)
derick@replic8.co.bw
Full Member
***
Offline Offline

Posts: 13


« on: Friday 01 May 2015, 07:20:23 am »

Hi all


First post here. Before I get into the nitty-gritty, I do not consider myself to be an Endian guru by any means, so please bare with me.

We're trying to configure an Endian <-> IPSec Net-to-Net tunnel, but so far, it's just not working. From Endian (the UI I have access to), it does end up showing as "Connected" eventually, but looking at /var/log/endian/ipsec/ipsec.log though, it does not appear too happy at all.

Before I get to the technical bits and pieces, has anyone ever managed to successfully do an IPSec Endian <-> Juniper Net-to-Net tunnel? If so, can you please advise?


The technical details:

Endian version: 3.0.devel running on 2.6.32 kernel
Authentication type: PSK
IKE encryption: 3DES
IKE group type: DH group 2
IKE version: 1
IKE integrity: SHA1
IKE lifetime: 24 hours
ESP encryption: 3DES
ESP group type: DH group 2
ESP integrity: SHA1
ESP lifetime: 24 hours

As mentioned before, Endian shows this as "connected" eventually, but the connectivity just isn't there. Of the more ominous looking log entries are:

peer not responding, trying again (153/0)
received retransmit of request with ID 2354
357634, but no response to retransmit
received unknown vendor ID:
[IKE] no matching CHILD_SA config found


I've tried all combos of configs I could think of, but I've exhausted my options at this point. I'm thinking that there is either something in the Juniper side that's not quite right (which I cannot confirm as I do not have access to it), or the Endian version we have needs updating, or Endian <-> Juniper IPSec Net-to-Net tunneling is simply not possible.

If there's anyone out there that can perhaps offer any advice, I'd appreciate it.


Thanks in advance.
Logged
derick@replic8.co.bw
Full Member
***
Offline Offline

Posts: 13


« Reply #1 on: Monday 04 May 2015, 10:10:08 pm »

Hi all


Glad to say that this has been resolved. In short, the Juniper side was specified with ESP having "noPFS".

With Endian, at least version 3.0.devel, it used IPSec version 5.1.1. Since IPSec version 5.0.0 and up, it's impossible to disable PFS. The Juniper side was altered and had PFS enabled, resolving the issue Smiley
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.055 seconds with 17 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com