Nabble - Netscreen at Compsoc.com

understanding traffic shaping

2008-12-11T00:31:28Z

Hi!

I'm currently trying to understand traffic shaping on the SSGs and have
a hard time.

Prep for JNCIS FWV has the following question:

You have 4 policies configured for the egress interface with 10Mbps
physical bandwith:
Policy1: Prio0, 1Mbps GBW, 3Mbps MBW
Policy2: Prio1, 1Mbps GBW, 4Mbps MBW
Policy3: Prio1, 2Mbps GBW, 2Mbps MBW
Policy4: Prio0, 2Mbps GBW, 4Mbps MBW

The book states that under full load policy 4 would drop packets first.

I tried to simulate this and got a different result. I assume, my
assumptions are wrong, but I would need help to spot the error:

Let's say a constant stream of 1 Mbit-packets - one fitting each policy
- hits the device with 40Mbps.
I'll name the packtes after the policy-id, they will fit:
1,2,3,4,1,2,3,4,1,2,3,4, and so on.
Since the egress speed is only 10Mbps, the SSG can only send out one
packet for every four packets, it receives.

Lets go:

First packet hit's the device. It's policy 1. Since Policy 1 has 1Mbps
GBW, the packet goes straight out to the egress interface.
Second packet - this time for policy 2. Again 1 Mbps GBW, so the packet
get's straight queued on the interface, since the first packet is still
being put on the wire.
Same with packet 3 and 4.
Now packet 5 arrives- again for policy 1. GBW is exhausted, but MBW is
not even reached, so this packet is been pushed to Queue 0
Meanwhile packet 1 has left the building and packet 2 is been processed
to be put on the wire.

Next packet 6 arrives (policy 2) - again that GBW is exhausted, but not
the MBW, so this packet is placed in Queue 1.
Next packet 7 (policy 3) comes along - here we're even still in the GWB,
so this packet goes straight to the out-queue for the egress interface.
The last bits of packet 2 have just hit the wire.

Packet 8 arrives (policy 4). Again a GBW-Packet, so it joins Pakets 4
and 7 (3 has just started to be put on the wire).
Packet 9 comes in - Policy1 - This packet is just inside the MBW-limit.
It's the third 1Mb-Paket for policy 1 within this second and we got
3Mbps MBW, so that packet joins packet 5 in Queue 0.

Packet 10 comes in - policy 2. Here we've used up 3 of the 4 Mbps MBW,
so that packet goes into Queue 1.

And according to my understanding, packet 11 finally gets dropped, since
this would be 3Mbps for a 2 Mbps - MBW in policy 3.

Where's my mistake?

Cheers,
Kai
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

IGMP snooping with NetScreen firewall?

2008-09-18T06:10:10Z

Hi,
Does the small NS5-GT support IGMP-snooping?

If not, is there another Netscreen model that support IGMP-snooping?

If not, does anyone have experience using a small switch that support IGMP-snooping.
I knew the 'small' Extreme Summit200 works fine but I would like to replace that switch
with a smaller one...

Best Regards
Fredrik

Get news, entertainment and everything you care about at Live.com. Check it out!
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

OpenSSH-5.1p1 issue with ScreenOS

2008-09-11T15:21:11Z

Just FYI in case others haven't run into this yet: after upgrading my
OpenSSH client to the latest 5.1-portable, I found to my horror that
ssh sessions to NetScreens (ScreenOS 5.4r10, 6.1.0r3) were immediately
disconnecting. Looking at the event log through webui showed
successful-auth, but no real error messages. Same basic symptoms for
both password and pubkey-auth. Running ssh in verbose mode gave a few
hints, it looks like a new 5.1 security feature isn't being handled
correctly by the NetScreen sshd:

--------------
http://openssh.com/txt/release-5.1
<snip>
New features:
* Added a no-more-sessions@... global request extension that is
sent from ssh(1) to sshd(8) when the client knows that it will never
request another session (i.e. when session multiplexing is disabled).
This allows a server to disallow further session requests and
terminate the session in cases where the client has been hijacked.
--------------

I can only venture to guess that, when ScreenOS receives the client
message "no more sessions after this one", it's interpreting as
"...including this one"? Anyway, by the Edisonian approach :) I
discovered that the following option will get you back in:

ControlMaster=ask (or "yes", or "auto" -- anything but the default "no")

As in, "ssh -o ControlMaster=ask me@..."

I wouldn't recommend adding this to your ssh_config, unless you can do
it per-host. It's a good idea to disable where not needed.

FWIW,

John

PS -- If anyone has a less-kludgy workaround, I'd love to hear it.
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: Policy traffic shaping netscreen

2008-09-02T01:48:40Z

Hi, Praveen!

You can download the NSRemote from the Juniper-Site (Support / Download Software)

You have to log in, choose ‘NetScreen Remote VPN Client’ and then enter the serial-Number from your bought NS-Remote to be able to download the current version.

In case you havent’t bougth the client yet – it’s really cheap (I guess about 10 Dollars when bought in a pack of 100).

Cheers,

Kai

Von: Praveen Sankar [mailto:praveen.sankar@...]
Gesendet: Dienstag, 2. September 2008 07:15
An: Kai Krebber
Cc: nn@...
Betreff: RE: [nn] Policy traffic shaping netscreen

Hi Kai,

Tried below mentioned software , but no luck.

Getting error message as “Tunnel Disabled”. I used to connect vpn to IKE authentication.

Do you/anyone know from where I can download Net screen Remote VPN client Ver. 9.0 . It is quite urgent for me to set vpn for

Marketing guys who is travelling with in two days. Please help .

Thanks ,

Praveen.

From: Kai Krebber [mailto:Kai.Krebber@...]
Sent: Wednesday, August 27, 2008 11:55 AM
To: Praveen Sankar
Cc: nn@...
Subject: AW: [nn] Policy traffic shaping netscreen

http://www.shrew.net/

Didn’t try it yet, but supposed to work just fine.

Cheers,

Kai

Von: nn-bounces@... [mailto:nn-bounces@...] Im Auftrag von Praveen Sankar
Gesendet: Mittwoch, 27. August 2008 08:17
An: 'Juniper-Nsp'; nn@...
Betreff: Re: [nn] Policy traffic shaping netscreen

Hi All,

I m looking for vpn_client_juniper software which is suitable for Windows Vista.

I m having the software which is suitable for XP , and it is working well too.

In coming week, I need to configure VPN for vista user. I would be grateful if anyone can provide me the link where I can get the software.

Looking forward to hearing from you.

Thanks and regards,

Praveen.

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: Policy traffic shaping netscreen

2008-09-01T22:12:32Z

Hi Kai,

Tried below mentioned software , but no luck.

Getting error message as “Tunnel Disabled”. I used to connect vpn to IKE authentication.

Do you/anyone know from where I can download Net screen Remote VPN client Ver. 9.0 . It is quite urgent for me to set vpn for

Marketing guys who is travelling with in two days. Please help .

Thanks ,

Praveen.

From: Kai Krebber [mailto:Kai.Krebber@...]
Sent: Wednesday, August 27, 2008 11:55 AM
To: Praveen Sankar
Cc: nn@...
Subject: AW: [nn] Policy traffic shaping netscreen

http://www.shrew.net/

Didn’t try it yet, but supposed to work just fine.

Cheers,

Kai

Hi All,

I m looking for vpn_client_juniper software which is suitable for Windows Vista.

I m having the software which is suitable for XP , and it is working well too.

In coming week, I need to configure VPN for vista user. I would be grateful if anyone can provide me the link where I can get the software.

Looking forward to hearing from you.

Thanks and regards,

Praveen.

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Unencrypted 6over4 tunnel config?

2008-08-27T17:13:25Z

I'm trying to set up a plain unemcrypted, encapsulated tunnel to my tunnel
broker (Hurricane).

All the C&E examples deal with using IPSEC tunnels, with NS devices on both
ends. Any quick config examples?

KeS
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: Policy traffic shaping netscreen

2008-08-27T06:30:56Z

Thanks Greg.

Will test it and update the status.

Praveen.

-----Original Message-----
From: Greg Conroy [mailto:gconroy@...]
Sent: Wednesday, August 27, 2008 6:55 PM
To: Kai Krebber
Cc: Praveen Sankar; nn@...
Subject: Re: [nn] Policy traffic shaping netscreen

The Netscreen remote client version 9.0 works with 32bit Vista, but not
with 64bit Vista. If you need a client for 64bit Vista (or 64 bit XP)
you can use the NCP Universal IPSec VPN Client. That client also works
with XP 32/64 and Windows 2000 as well as CE. I believe they also have
a Linux client as well.

http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html

Greg

Kai Krebber wrote:

>
> http://www.shrew.net/
>
>
>
> Didn’t try it yet, but supposed to work just fine.
>
>
>
> Cheers,
>
> Kai
>
>
>
> ------------------------------------------------------------------------
>
> *Von:* nn-bounces@... [mailto:nn-bounces@...] *Im
> Auftrag von *Praveen Sankar
> *Gesendet:* Mittwoch, 27. August 2008 08:17
> *An:* 'Juniper-Nsp'; nn@...
> *Betreff:* Re: [nn] Policy traffic shaping netscreen
>
>
>
> Hi All,
>
>
>
> I m looking for vpn_client_juniper software which is suitable for
> Windows Vista.
>
> I m having the software which is suitable for XP , and it is working
> well too.
>
> In coming week, I need to configure VPN for vista user. I would be
> grateful if anyone can provide me the link where I can get the
> software.
>
>
>
> Looking forward to hearing from you.
>
>
>
>
>
> Thanks and regards,
>
> Praveen.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> nn mailing list
> nn@...
> http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
>

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: Policy traffic shaping netscreen

2008-08-27T06:24:44Z

The Netscreen remote client version 9.0 works with 32bit Vista, but not
with 64bit Vista. If you need a client for 64bit Vista (or 64 bit XP)
you can use the NCP Universal IPSec VPN Client. That client also works
with XP 32/64 and Windows 2000 as well as CE. I believe they also have
a Linux client as well.

http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html

Greg

Kai Krebber wrote:

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: Policy traffic shaping netscreen

2008-08-26T23:54:53Z

* Kai Krebber <Kai.Krebber@...> [27.08.2008 08:40]:
> http://www.shrew.net/ <http://www.shrew.net/>
> Didn't try it yet, but supposed to work just fine.

works fine in my case with a 5XT and GT.

--
stefan.bauer@... Linux Professional
Phone +49 89 26 216 964 Debian GNU/Linux
Mobile +49 179 11 94 767 Josef-Führer-Str. 30
http://www.plzk.de 80997 München

Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge.
Siehe http://www.gnu.org/philosophy/no-word-attachments.de.html
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: Policy traffic shaping netscreen

2008-08-26T23:25:29Z

http://www.shrew.net/

Didn’t try it yet, but supposed to work just fine.

Cheers,

Kai

Hi All,

I m looking for vpn_client_juniper software which is suitable for Windows Vista.

I m having the software which is suitable for XP , and it is working well too.

In coming week, I need to configure VPN for vista user. I would be grateful if anyone can provide me the link where I can get the software.

Looking forward to hearing from you.

Thanks and regards,

Praveen.

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: Policy traffic shaping netscreen

2008-08-26T23:15:47Z

Hi All,

I m looking for vpn_client_juniper software which is suitable for Windows Vista.

I m having the software which is suitable for XP , and it is working well too.

In coming week, I need to configure VPN for vista user. I would be grateful if anyone can provide me the link where I can get the software.

Looking forward to hearing from you.

Thanks and regards,

Praveen.

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: VPN Tunnel Woes - Again

2008-08-24T09:44:07Z

On Sun, Aug 24, 2008 at 06:20:53PM +0530, Naveen Dhar wrote:
> This would be counted as using 2 vpn's bcos 2 tunnel interfaces are being
> used between the same two gateways whereas in policy based VPN, it would be
> seen as 1 VPN tunnel being used with any number of vpn policies assigned to
> it.

Policy Based VPN is not an option because of the network structure
involved.

> So if you now have about 25 different small subnets to be going through vpn
> in future, you may end up using 25 vpn license.

This is still cheaper than re-working the network and living with the
complexity of having the netscreen connected with two interfaces.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: VPN Tunnel Woes - Again

2008-08-24T05:50:53Z

Great find mate but just a quickie.. i believe if you have a small netscreen device like 10 vpn allowed.

This would be counted as using 2 vpn's bcos 2 tunnel interfaces are being used between the same two gateways whereas in policy based VPN, it would be seen as 1 VPN tunnel being used with any number of vpn policies assigned to it.

So if you now have about 25 different small subnets to be going through vpn in future, you may end up using 25 vpn license.

Cheers.

:-)

--
Thanks & Regards,
Naveen Dhar
Lead Consultant & Subject Matter Expert - Network Security
CCNA,CCSA,CCSE,JNCIA,JNCIS
Computer Sciences Corporation Pvt. Ltd.

2008/8/24 Marc Haber <mh%2Bqorbit-nn@...>

The issue is solved now.

On Sun, Aug 17, 2008 at 11:09:38PM +0200, Marc Haber wrote:
> set vpn "myvpn-10-101-139-64-off" gateway "myvpn-172-16-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
> set vpn "myvpn-10-101-139-64-off" id 22 bind interface tunnel.5
> set vpn "myvpn-10-101-139-64-off" proxy-id local-ip 10.1.2.0/28 remote-ip 10.101.139.64/30 "ANY"
> set route 10.101.139.64/30 interface tunnel.5 preference 20
>
> set interface "tunnel.5" zone "Untrust"
> set interface tunnel.5 ip unnumbered interface untrust
>
> set ike gateway "myvpn-172-16-251-112" address 172.16.251.112 Main outgoing-interface "untrust" preshare "<snip>" proposal "pre-g2-aes256-sha1"
> set ike gateway "myvpn-172-16-251-112" cert peer-ca all
>
> set policy id 1 from "Untrust" to "Untrust" "Any" "Any" "ANY" permit log
>
> This works just fine. I now need to add a second tunnel which has
> 10.101.139.100/30 as the remote side. As soon as I add the canonical
>
> set vpn "myvpn-10-101-139-100-off" gateway "myvpn-172-16-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
> set vpn "myvpn-10-101-139-100-off" id 22 bind interface tunnel.5
> set vpn "myvpn-10-101-139-100-off" proxy-id local-ip 10.1.2.0/28 remote-ip 10.101.139.100/30 "ANY"
> set route 10.101.139.100/30 interface tunnel.5 preference 20

Two problems with this configuration:
- need a dedicated tunnel interface for each tunnel
- must not re-use the id in the bind interface tunnel line.

Working configuration:
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Untrust"
set interface tunnel.2 ip unnumbered interface untrust
set interface tunnel.3 ip unnumbered interface untrust
set ike gateway "myvpn-10-101-251-112" address 10.101.251.112 Main outgoing-interface "untrust" preshare "<snip>"
set vpn "myvpn-10-101-139-64-off" gateway "myvpn-10-101-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
set vpn "myvpn-10-101-139-64-off" id 30 bind interface tunnel.2
set vpn "myvpn-10-101-139-100-off" gateway "myvpn-10-101-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
set vpn "myvpn-10-101-139-100-off" id 31 bind interface tunnel.3
set vpn "myvpn-10-101-139-64-off" proxy-id local-ip 10.1.2.0/24 remote-ip 10.101.139.64/30 "ANY"
set vpn "myvpn-10-101-139-100-off" proxy-id local-ip 10.1.2.0/24 remote-ip 10.101.139.100/30 "ANY"

Conslusion: Multiple proxy-IDs with the same remote side work fine
even with route-based tunnels, if one does it right.

Thanks to a lot of help I received on IRC.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190

Bitte beachten Sie, daß dem [m.E. grundgesetzwidrigen] Gesetz zur
Vorratsdatenspeicherung zufolge, seit dem 1. Januar 2008 jeglicher
elektronische Kontakt (E-Mail, Telefongespräche, SMS, Internet-
Telefonie, Mobilfunk, Fax) mit mir oder anderen Nutzern verdachts-
unabhängig für den automatisierten geheimen Zugriff durch Strafver-
folgungs- u. Polizeivollzugsbehörden, die Bundesanstalt für Finanz-
dienstleistungsaufsicht, Zollkriminal- und Zollfahndungsämter,die
Zollverwaltung zur Schwarzarbeitsbekämpfung, Notrufabfragestellen,
Verfassungsschutzbehörden, den Militärischen Abschirmdienst, Bundes-
nachrichtendienst sowie 52 Staaten wie beispielsweise Aserbeidschan
oder die USA sechs Monate lang gespeichert wird, einschließlich der
Kommunikation mit Berufsgeheimnisträgern wie Ärzten, Journalisten und
Anwälten. Mehr Infos zur totalen Protokollierung Ihrer Kommunikations-
daten auf www.vorratsdatenspeicherung.de. (leicht verändert übernommen
kopiert von www.lawblog.de)

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: VPN Tunnel Woes - Again

2008-08-24T03:09:48Z

The issue is solved now.

On Sun, Aug 17, 2008 at 11:09:38PM +0200, Marc Haber wrote:

> set vpn "myvpn-10-101-139-64-off" gateway "myvpn-172-16-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
> set vpn "myvpn-10-101-139-64-off" id 22 bind interface tunnel.5
> set vpn "myvpn-10-101-139-64-off" proxy-id local-ip 10.1.2.0/28 remote-ip 10.101.139.64/30 "ANY"
> set route 10.101.139.64/30 interface tunnel.5 preference 20
>
> set interface "tunnel.5" zone "Untrust"
> set interface tunnel.5 ip unnumbered interface untrust
>
> set ike gateway "myvpn-172-16-251-112" address 172.16.251.112 Main outgoing-interface "untrust" preshare "<snip>" proposal "pre-g2-aes256-sha1"
> set ike gateway "myvpn-172-16-251-112" cert peer-ca all
>
> set policy id 1 from "Untrust" to "Untrust" "Any" "Any" "ANY" permit log
>
> This works just fine. I now need to add a second tunnel which has
> 10.101.139.100/30 as the remote side. As soon as I add the canonical
>
> set vpn "myvpn-10-101-139-100-off" gateway "myvpn-172-16-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
> set vpn "myvpn-10-101-139-100-off" id 22 bind interface tunnel.5
> set vpn "myvpn-10-101-139-100-off" proxy-id local-ip 10.1.2.0/28 remote-ip 10.101.139.100/30 "ANY"
> set route 10.101.139.100/30 interface tunnel.5 preference 20

Two problems with this configuration:
- need a dedicated tunnel interface for each tunnel
- must not re-use the id in the bind interface tunnel line.

Working configuration:
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Untrust"
set interface tunnel.2 ip unnumbered interface untrust
set interface tunnel.3 ip unnumbered interface untrust
set ike gateway "myvpn-10-101-251-112" address 10.101.251.112 Main outgoing-interface "untrust" preshare "<snip>"
set vpn "myvpn-10-101-139-64-off" gateway "myvpn-10-101-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
set vpn "myvpn-10-101-139-64-off" id 30 bind interface tunnel.2
set vpn "myvpn-10-101-139-100-off" gateway "myvpn-10-101-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
set vpn "myvpn-10-101-139-100-off" id 31 bind interface tunnel.3
set vpn "myvpn-10-101-139-64-off" proxy-id local-ip 10.1.2.0/24 remote-ip 10.101.139.64/30 "ANY"
set vpn "myvpn-10-101-139-100-off" proxy-id local-ip 10.1.2.0/24 remote-ip 10.101.139.100/30 "ANY"

Conslusion: Multiple proxy-IDs with the same remote side work fine
even with route-based tunnels, if one does it right.

Thanks to a lot of help I received on IRC.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190

Bitte beachten Sie, daß dem [m.E. grundgesetzwidrigen] Gesetz zur
Vorratsdatenspeicherung zufolge, seit dem 1. Januar 2008 jeglicher
elektronische Kontakt (E-Mail, Telefongespräche, SMS, Internet-
Telefonie, Mobilfunk, Fax) mit mir oder anderen Nutzern verdachts-
unabhängig für den automatisierten geheimen Zugriff durch Strafver-
folgungs- u. Polizeivollzugsbehörden, die Bundesanstalt für Finanz-
dienstleistungsaufsicht, Zollkriminal- und Zollfahndungsämter,die
Zollverwaltung zur Schwarzarbeitsbekämpfung, Notrufabfragestellen,
Verfassungsschutzbehörden, den Militärischen Abschirmdienst, Bundes-
nachrichtendienst sowie 52 Staaten wie beispielsweise Aserbeidschan
oder die USA sechs Monate lang gespeichert wird, einschließlich der
Kommunikation mit Berufsgeheimnisträgern wie Ärzten, Journalisten und
Anwälten. Mehr Infos zur totalen Protokollierung Ihrer Kommunikations-
daten auf www.vorratsdatenspeicherung.de. (leicht verändert übernommen
kopiert von www.lawblog.de)
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Multiple Proxy-IDs per tunnel on a route-based VPN (was: VPN Tunnel Woes - Again)

2008-08-24T01:53:23Z

On Tue, Aug 19, 2008 at 12:07:07AM +0200, Marc Haber wrote:
> On Mon, Aug 18, 2008 at 01:16:09PM +0530, Naveen Dhar wrote:
> > Policy based VPN allow multiple proxy id's to be generated per vpn policy
> > inside the same tunnel.
>
> Ok, I'll try converting to policy based VPNs in the next few days.

Now I remember why I used a route-based VPN in the first place. My
netscreen device is not the actual firewall being used, it is only
being used as a VPN gateway, only connected with a single Interface:

-------------------- ---------------------
| 10.101.139.64/30 | | 10.101.139.100/30 |
-------------------- ---------------------
| |
---------------------------
| Cisco Concentrator |
---------------------------
| 172.16.251.112
| untrust
-------------- 172.17.0.1 -------------
| Router |------------------| Netscreen |
-------------- -------------
|
|
--------------
| 10.1.2.7 |
--------------

The netscreen's untrust interface is the only interface connected.

With a policy-based VPN, i'd need the VPN policy to go from "untrust"
to "untrust", and untrust-to-untrust policies don't allow a VPN tunnel
to be specified.

Is there and workaround to specify a VPN policy from untrust to
untrust? I don't want to waste a second switch port on the Netscreen's
trust interface and would really like to avoid the complexity of a
second VLAN for the netscreen's trust interface.

Any ideas?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: VPN Tunnel Woes - Again

2008-08-18T15:07:07Z

On Mon, Aug 18, 2008 at 01:16:09PM +0530, Naveen Dhar wrote:
> You can use one route based vpn tunnel with vpn proxy id as local *
> 10.101.139.64/26* containing 10.101.139.64/30 & 10.101.139.100/30 both
> and then filter vpn traffic through vpn policies but you have to change the
> encryption domain @ Cisco device as well to say remote party netscreen
> subnet is *10.101.139.64/26* and not 10.101.139.64/30 & 10.101.139.100/30

I don't like that idea too much since there is already a request for a
third tunnel whose remote side is not even in the same /8 network.

> Policy based VPN allow multiple proxy id's to be generated per vpn policy
> inside the same tunnel.

Ok, I'll try converting to policy based VPNs in the next few days.

Does the config file pulled from the WebUI contain complete
configuration, including all certificates, keys etc so that I can make
a backup (and restore it!) before doing so?

Greetings
Ma "nobody wants backup, everybody wants restore" rc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Policy traffic shaping netscreen

2008-08-18T01:36:33Z

Hello I have an SSG 140 with screenOS 6.1.0r2.0

And I have a problem with policy traffic shaping which does no seem to work proper.

When I configure a policy with guaranteed bw and maximum bw traffic seems to be matched

at another policy with another source address than the one configured.

e.g 192.168.40.10 is matched at a policy with source 192.168.40.19

any ideas what causes this kind of behavior?

Thank you

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: VPN Tunnel Woes - Again

2008-08-18T00:46:09Z

Marc,

You can use one route based vpn tunnel with vpn proxy id as local 10.101.139.64/26 containing 10.101.139.64/30 & 10.101.139.100/30 both and then filter vpn traffic through vpn policies but you have to change the encryption domain @ Cisco device as well to say remote party netscreen subnet is 10.101.139.64/26 and not 10.101.139.64/30 & 10.101.139.100/30 .

With route based tunnels you can't use multiple subnets as proxy id's, so you have to use supernet to cover both inidividual small subnets. Also if you have multiple subnets from Cisco LAN side as well then you need to use supernet for them as well or only other option is create policy based vpn.

Policy based VPN allow multiple proxy id's to be generated per vpn policy inside the same tunnel.

--
Thanks & Regards,
Naveen Dhar
Lead Consultant & Subject Matter Expert - Network Security
CCNA,CCSA,CCSE,JNCIA,JNCIS
Computer Sciences Corporation Pvt. Ltd.

On Mon, Aug 18, 2008 at 11:48 AM, Marc Haber <mh%2Bqorbit-nn@...> wrote:

On Mon, Aug 18, 2008 at 10:52:14AM +0530, Naveen Dhar wrote:
> If you want multiple subnets to be accessed via VPN tunnel between NetScreen
> and Cisco then create Policy Based Tunnel on NetScreen device and all would
> work. i have a few of them already working.
>
> Route based tunnel should be used when you can use a supernet in vpn proxy
> id for netscreen vpn which covers both of those subnets inside it and both
> subnets 10.101.139.64/30 & 10.101.139.100/30 would work via the same one
> vpn tunnel via single tunnel interface.

I have always used route-based VPNs for years. Do I really have to
learn how to use policy-based VPNs as what I want cannot be
accomplished with route-based VPNs?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: VPN Tunnel Woes - Again

2008-08-17T23:18:48Z

On Mon, Aug 18, 2008 at 10:52:14AM +0530, Naveen Dhar wrote:
> If you want multiple subnets to be accessed via VPN tunnel between NetScreen
> and Cisco then create Policy Based Tunnel on NetScreen device and all would
> work. i have a few of them already working.
>
> Route based tunnel should be used when you can use a supernet in vpn proxy
> id for netscreen vpn which covers both of those subnets inside it and both
> subnets 10.101.139.64/30 & 10.101.139.100/30 would work via the same one
> vpn tunnel via single tunnel interface.

I have always used route-based VPNs for years. Do I really have to
learn how to use policy-based VPNs as what I want cannot be
accomplished with route-based VPNs?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Re: VPN Tunnel Woes - Again

2008-08-17T22:22:14Z

Hi Marc,

If you want multiple subnets to be accessed via VPN tunnel between NetScreen and Cisco then create Policy Based Tunnel on NetScreen device and all would work. i have a few of them already working.

Route based tunnel should be used when you can use a supernet in vpn proxy id for netscreen vpn which covers both of those subnets inside it and both subnets 10.101.139.64/30 & 10.101.139.100/30 would work via the same one vpn tunnel via single tunnel interface.

--
Thanks & Regards,
Naveen Dhar
Lead Consultant & Subject Matter Expert - Network Security
CCNA,CCSA,CCSE,JNCIA,JNCIS
Computer Sciences Corporation Pvt. Ltd.

On Mon, Aug 18, 2008 at 2:39 AM, Marc Haber <mh%2Bqorbit-nn@...> wrote:

Hi,

I had this issue in last december and addressed in on this list.
Unfortunately, I failed to properly followup with the replies I
received since I never fully understood what was going on. I apologize.

I am having trouble - again - with a IPSEC tunnel to another company
running a Cisco VPN Concentrator. I do not do netscreen VPN very much
and am therefore at a loss how to debug.

This is how things look:

Network "plan":
-------------------- ---------------------
| 10.101.139.64/30 | | 10.101.139.100/30 |
-------------------- ---------------------
| |
---------------------------
| Cisco Concentrator |
---------------------------
| 172.16.251.112
| untrust
-------------- 172.17.0.1 -------------
| Router |------------------| Netscreen |
-------------- -------------
|
|
--------------
| 10.1.2.7 |
--------------

I have a currenly existing and working tunnel between 10.1.2.0/28 and
10.1.139.64/30 via the Netscreen and the Cisco concentrator.

Netscreen config excerpts:
-> get system
Product Name: NetScreen-NS5GT
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r3a.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Wed Feb 7 19:00:24 PST 2007
Base Mac: 0010.db73.5a50
File Name: screenos_image, Checksum: 51863a99
Box in trust-untrust mode
System in NAT/route mode.

set vpn "myvpn-10-101-139-64-off" gateway "myvpn-172-16-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
set vpn "myvpn-10-101-139-64-off" id 22 bind interface tunnel.5
set vpn "myvpn-10-101-139-64-off" proxy-id local-ip 10.1.2.0/28 remote-ip 10.101.139.64/30 "ANY"
set route 10.101.139.64/30 interface tunnel.5 preference 20

set interface "tunnel.5" zone "Untrust"
set interface tunnel.5 ip unnumbered interface untrust

set ike gateway "myvpn-172-16-251-112" address 172.16.251.112 Main outgoing-interface "untrust" preshare "<snip>" proposal "pre-g2-aes256-sha1"
set ike gateway "myvpn-172-16-251-112" cert peer-ca all

set policy id 1 from "Untrust" to "Untrust" "Any" "Any" "ANY" permit log

This works just fine. I now need to add a second tunnel which has
10.101.139.100/30 as the remote side. As soon as I add the canonical

set vpn "myvpn-10-101-139-100-off" gateway "myvpn-172-16-251-112" no-replay tunnel idletime 0 proposal "g2-aes256-sha1"
set vpn "myvpn-10-101-139-100-off" id 22 bind interface tunnel.5
set vpn "myvpn-10-101-139-100-off" proxy-id local-ip 10.1.2.0/28 remote-ip 10.101.139.100/30 "ANY"
set route 10.101.139.100/30 interface tunnel.5 preference 20

I lose the connectivity of the first tunnel, and the second does not
seem to come up. This is also the case when I replace tunnel.5 with
tunnel.6 in the second tunnel definition.

Debug info looks like december last year, something along like:

untrust:10.1.2.7/36462->10.101.139.65/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <untrust>, out <N/A>
chose interface untrust as incoming nat if.
flow_first_routing: in <untrust>, out <N/A>
search route to (untrust, 10.1.2.7->10.101.139.65) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 7.route 10.101.139.65->10.101.139.65, to tunnel.5
routed (x_dst_ip 10.101.139.65) from untrust (untrust in 0) to tunnel.5
policy search from zone 1-> zone 1
policy_flow_search policy search nat_crt from zone 1-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.101.139.65, port 47853, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 1
No src xlate ## 2007-12-05 14:58:40 : NHTB entry search no found: vpn none tif tunnel.5 nexthop 10.101.139.65
packet dropped, no way(tunnel) out

(this is not copied verbatim from the dbuf as it has scrolled out)

Can anybody say what's going wrong with my tunnels? Any hints will be
appreciated. If there is any information missing, I'll happily deliver
what you need to properly diagnose things.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn