Creating tunnels between three sites



  • Hi all,

    I’ve spent a couple of days trying to solve this and wondered if my gut feeling is correct for the solution. I’ve read as many posts on to find a similar solution with no result.

    I’ve got a NS25 currently linking site A (static IP) to site B (static IP) with NS5XT. A tunnel has been connecting these two successfully for a couple of years. I now need to provide network connectivity from site C to site A and therefore have just purchased and installed a NS5GT. I intend to use the single untrusted interface on the NS25 to connect both sites B and C.

    On the NS25 I’ve created a new IKE gateway to site C (static IP) and on the NS5GT created a new gateway. I’ve tried site A in Main mode and site C in aggr, also the other way around but I cannot see phase 1 being initiated.

    The NS25 has the following versions:
    Hardware : 4010
    Software : 4.0.0r9.0

    I’ve re-started the NS25 and can see the tunnel created between A and B but nothing seems to start between sites A and C.

    Money is an issue and upgrading is the last resort… Before I go down that avenue, is this a simple configuration issue? I haven’t include a posting of the config file but can if anyone thinks it would assist.

    Greatly appreciate any assistance before I pull all my hair out in frustration…



  • SORTED!

    Many thanks for your suggestions, I’ve just been able to kick off the users and try some of your advice.

    Tried running ‘debug ike detail’ through the serial port, but this displayed nothing.

    One of the suggestions from MaxPipeline was spot on - the problem stemmed from a failure to initiation the tunnel. It appears that after the initial phase1 request failed due to an error with my router, it put further requests in a task queue, but never tried again.

    I decided to attempt to map a network drive on a server on site A to a server on site C. BINGO - I could immediately see an attempt to initiate in the log and the tunnel was successful. We now have a second tunnel from site A to C, now to get Site B to C working. For those who are interested, although the config info is slightly different from the example one, I can get two tunnels successfully along with dial in users.

    Many thanks for those who made suggestions - greatly appreciated.



  • Hi,

    thanks for the reply, no I haven’t tried NHTB binding. What is the advantage of the single tunnel interface verses two?

    Yes, if I can get it working between sites A and C I would eventually look to get B and C joined too. Is there a better way of doing this?

    Since I need to keep remote users connected (via the Netscreen client software) to Site A there are limited windows where I can try things out without upsetting too many people!



  • have you tried using nxt hop tunnel binding (NHTB) this will allow you to add multiple remote sites to one tunnel interface on the ns25. if you have any questions just post.

    by the way do you want site b and site c to have a tunnel between each other as well?



  • Thanks for your reply MaxPipeline.

    I presume that there are no major gaffs in the policies then? The event logs didn’t show much so I’ll try the debug and see what results that brings. Will post tomorrow.

    Thanks again.



  • Do you have event log for both sites?  This should give you a clue as to why the tunnel fails.  My suggestion is to leave VPN monitoring on at one site and disable on the other site.  Then troubleshoot at the site with VPN monitoring disabled.  The thinking here is you always want to troubleshoot from the side that is the responder and not the initiator.  Enabling VPN monitoring will force that side to become the initiator.  Then check your event log at the responder side and look for messages indicating why the VPN fails.  Better still run ‘debug ike detail’ on both sides.



  • Hi,

    I can see that the original configuration of the NS25 (outside contractor) differs from point 2 of the sticky for creating a tunnel. I thought the comments from MaxPipeline were important - no traffic initiating the tunnel, so I’ve added the VPN monitoring.

    As I mentioned previously Site A and B are currently connected so I’m hesitant about making changes to the other tunnel settings. I thought it would be easier if I insert the config file info for site A (ns25) and C (ns5gt) .

    Site A

    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set clock ntp
    set clock “timezone” 0
    set admin format dos
    set admin name "netscreen"
    set admin password xxxx
    set admin auth timeout 10
    set admin auth server "Local"
    unset log module system level emergency destination onesecure
    unset log module system level alert destination onesecure
    unset log module system level critical destination onesecure
    unset log module system level error destination onesecure
    unset log module system level warning destination onesecure
    unset log module system level notification destination onesecure
    unset log module system level information destination onesecure
    unset log module system level debugging destination onesecure
    set service “HTTP” timeout 5
    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “DMZ” tcp-rst
    set zone “MGT” block
    set zone “MGT” tcp-rst
    set zone Untrust screen tear-drop
    set zone Untrust screen syn-flood
    set zone Untrust screen ping-death
    set zone Untrust screen ip-filter-src
    set zone Untrust screen land
    set zone V1-Untrust screen tear-drop
    set zone V1-Untrust screen syn-flood
    set zone V1-Untrust screen ping-death
    set zone V1-Untrust screen ip-filter-src
    set zone V1-Untrust screen land
    set interface “ethernet1” zone "Trust"
    set interface “ethernet2” zone "DMZ"
    set interface “ethernet3” zone "Untrust"
    set interface vlan1 ip 192.168.1.1/24
    set interface ethernet1 ip 89.0.4.250/24
    set interface ethernet1 nat
    set interface ethernet3 ip 81.137.xx.xx/29
    set interface ethernet3 route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface vlan1 ip manageable
    set interface ethernet1 ip manageable
    set interface ethernet2 ip manageable
    set interface ethernet3 ip manageable
    set interface v1-untrust manage web
    set hostname ns25
    set address “Trust” “89.0.4.0” 89.0.4.0 255.255.255.255 "Created by vpn wizard"
    set address “Trust” “Leicester” 89.0.4.0 255.255.255.0
    set address “Trust” “web1” 89.0.4.0 255.255.255.255
    set address “Untrust” “coalville” 89.0.5.0 255.255.255.0
    set address “Untrust” “Princess Road” 89.0.6.0 255.255.255.0
    set snmp name "ns25"
    set user “user1” uid 1
    set user “user1” ike-id u-fqdn “user1@mail” share-limit 1
    set user “user1” type  ike
    set user “user1” "enable"
    set user “user2” uid 2
    set user “user2” ike-id u-fqdn “user2@mail” share-limit 1
    set user “user2” type  ike
    set user “user2” "enable"
    set user “user3” uid 3
    set user “user3” ike-id u-fqdn “user3@mail” share-limit 1
    set user “user3” type  ike
    set user “user3” "enable"
    set user “user4” uid 4
    set user “user4” ike-id u-fqdn “user4@mail” share-limit 1
    set user “user4” type  ike
    set user “user4” "enable"
    set user “user5” uid 6
    set user “user5” ike-id u-fqdn “user5@mail” share-limit 1
    set user “user5” type  ike
    set user “user5” "enable"
    set user-group “dialvpn” id 1
    set user-group “dialvpn” user "user1"
    set user-group “dialvpn” user "user2"
    set user-group “dialvpn” user "user3"
    set user-group “dialvpn” user "user4"
    set user-group “dialvpn” user "user5"
    set ike gateway “VPN1” ip 81.137.40.1 Main outgoing-interface “ethernet3” preshare xxxx proposal "pre-g2-3des-md5"
    set ike gateway “dialup” dialup “dialvpn” Main outgoing-interface “ethernet3” preshare xxxx proposal "pre-g2-3des-md5"
    unset ike gateway “dialup” nat-traversal
    set ike gateway “Gateway for Princess Road” ip 81.149.xx.xx Main outgoing-interface “ethernet3” preshare xxxx proposal "pre-g2-3des-md5"
    set ike gateway  “Gateway for Princess Road” nat-traversal
    set ike gateway “Gateway for Princess Road” nat-traversal udp-checksum
    set ike gateway “Gateway for Princess Road” nat-traversal keepalive-frequency 5
    set ike policy-checking
    set ike respond-bad-spi 1
    set vpn “VPN1IKE” id 1 gateway “VPN1” no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
    set vpn “dialup” id 3 gateway “dialup” no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
    set vpn “Tunnel for Princess Road” id 11 gateway “Gateway for Princess Road” no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
    set vpn “Tunnel for Princess Road” monitor source-interface ethernet3
    set ike id-mode subnet
    set xauth lifetime 480
    set xauth default auth server Local
    set policy id 5 from “Trust” to “Untrust”  “Leicester” “Princess Road” “ANY” Tunnel vpn “Tunnel for Princess Road” id 12 pair-policy 4
    set policy id 4 from “Untrust” to “Trust”  “Princess Road” “Leicester” “ANY” Tunnel vpn “Tunnel for Princess Road” id 12 pair-policy 5
    set policy id 3 name “dialup” from “Untrust” to “Trust”  “Dial-Up VPN” “Leicester” “ANY” Tunnel vpn “dialup” id 4 log count
    set policy id 2 name “VPN1” from “Untrust” to “Trust”  “coalville” “Leicester” “ANY” Tunnel vpn “VPN1IKE” id 2 pair-policy 1 log count
    set policy id 1 name “VPN1” from “Trust” to “Untrust”  “Leicester” “coalville” “ANY” Tunnel vpn “VPN1IKE” id 2 pair-policy 2 log count
    set policy id 0 from “Trust” to “Untrust”  “Any” “Any” “ANY” Permit log count
    set syslog config leicester2k local0 local0 debug
    unset global-pro policy-manager primary outgoing-interface
    unset global-pro policy-manager secondary outgoing-interface
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 interface ethernet3 gateway 81.137.xx.xx
    exit

    Site C

    set clock timezone 0
    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set admin name "netscreen"
    set admin password xxxx
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “untrust” zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 89.0.6.250/24
    set interface trust nat
    set interface untrust ip 81.149.xx.xx/32
    set interface untrust route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set flow tcp-mss 1392
    set flow all-tcp-mss 1304
    set hostname ns5gt
    set dns host dns1 194.xx.xx.xx
    set dns host dns2 62.xx.xx.xx
    set address “Trust” “Princess Road” 89.0.6.0 255.255.255.0
    set address “Untrust” “Coalville” 89.0.5.0 255.255.255.0
    set address “Untrust” “Leicester” 89.0.4.0 255.255.255.0
    set user “user1” uid 1
    set user “user1” type  ike
    set user “user1” "enable"
    set user-group “VPNDIAL” id 1
    set user-group “VPNDIAL” user "user1"
    set ike gateway “VPN1” address 81.137.xx.xx Main outgoing-interface “untrust” preshare xxxx proposal "pre-g2-3des-md5"
    set ike gateway “vpn2” address 81.137.xx.xx Aggr outgoing-interface “untrust” preshare xxxx proposal "pre-g2-3des-md5"
    set ike respond-bad-spi 1
    set vpn “VPN1IKE” gateway “VPN1” replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
    set vpn “VPN1IKE” monitor source-interface untrust destination-ip 81.149.xx.xx
    set vpn “VPN2IKE” gateway “vpn2” no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “ANY” permit
    set policy id 2 from “Trust” to “Untrust”  “Princess Road” “Leicester” “ANY” tunnel vpn “VPN1IKE” id 1 pair-policy 3 log
    set policy id 3 from “Untrust” to “Trust”  “Leicester” “Princess Road” “ANY” tunnel vpn “VPN1IKE” id 1 pair-policy 2 log
    set policy id 4 from “Trust” to “Untrust”  “Princess Road” “Coalville” “ANY” tunnel vpn “VPN2IKE” id 2 pair-policy 5 log
    set policy id 5 from “Untrust” to “Trust”  “Coalville” “Princess Road” “ANY” tunnel vpn “VPN2IKE” id 2 pair-policy 4 log
    set pppoe name "untrust"
    set pppoe name “untrust” username “xxx.btclick.com” password xxx
    set pppoe name “untrust” interface untrust
    set global-pro policy-manager primary outgoing-interface untrust
    set global-pro policy-manager secondary outgoing-interface untrust
    set ssh version v2
    set config lock timeout 5
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit

    Thanks again for taking a look.



  • Many thanks for the swift reponses. I’ll take a look at the sticky posting before clogging up posting with the configs.

    Thanks again.


  • administrators

    Take a look at the Sticky posting at the top of the VPN forum.  It will walk you through step-by-step on how to set this up.



  • Yes, what you are proposing should definitely be possible.  I think a sample of your configs would be helpful.  A couple of thing.  First you must configure both sides as main mode or aggressive mode.  You cannot configure one side main and the other aggressive.  They must match.  Second if in fact you do not see ANY attempt for the VPN to connect in either of the event logs then perhaps there is no traffic to initiate the tunnel.  Or you can configure VPN monitoring to automatically connect every time.  In any case a config dump on both sides would be useful.  In particular,

    get config | i ike
    get config | i vpn
    get config | i interface
    get config | i route
    get config | i policy


 

33
Online

38.4k
Users

12.7k
Topics

44.5k
Posts