VPN Tunnel Woes

Hi,

I am having trouble with a IPSEC tunnel to another company (I _think_
they're running Checkpoint, but I think that's irrelevant for the time
being). That tunnel used to work about a year ago, remained unused for
some time and during that time stopped working. Currently, when I ping
the remote side, I see the ping coming in at the netscreen, which
drops it ("packet dropped, no way(tunnel) out").

I do not do netscreen VPN very much and am therefore at a loss how to
debug.

Network "plan":
--------------
| 10.101.0.1 |
--------------
       |
----------------------
| IPSEC Gateway Ggst |
----------------------
       | 172.16.0.1
       |                      untrust
--------------      172.17.0.1  -------------
| Router     |------------------| Netscreen |
--------------                  -------------
       |
       |
--------------
| 10.1.2.7   |
--------------

Netscreen config excerpts:
-> get system
Product Name: NetScreen-NS5GT
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r3a.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Wed Feb 7 19:00:24 PST 2007
Base Mac: 0010.db73.5a50
File Name: screenos_image, Checksum: 51863a99
Box in trust-untrust mode
System in NAT/route mode.

set interface "tunnel.3" zone "Untrust"
set interface tunnel.3 ip unnumbered interface untrust
set ike gateway "site-to-site-10-101-0-0" address 172.16.0.1 \
    Main outgoing-interface "untrust" \
    preshare "<snip>" proposal "pre-g2-3des-sha"
set vpn "site-to-site-10-101-0-0" gateway "site-to-site-10-101-0-0" \
    no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "site-to-site-10-101-0-0" id 19 bind interface tunnel.3
set vpn "site-to-site-10-101-0-0" \
    proxy-id local-ip 10.1.2.0/24 remote-ip 10.101.0.0/24 "ANY"
set route 10.101.0.0/24 interface tunnel.3 preference 20

"get dbuf stream" after pinging from 10.1.2.7 to 10.101.0.1:
-> get dbuf stream
****** 1287999.0: <Untrust/untrust> packet received [60]******
  ipid = 31121(7991), @05896e10
  packet passed sanity check.
  untrust:10.1.2.7/36462->10.101.0.1/1024,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <untrust>, out <N/A>
  chose interface untrust as incoming nat if.
  flow_first_routing: in <untrust>, out <N/A>
  search route to (untrust, 10.1.2.7->10.101.0.1) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 7.route 10.101.0.1->10.101.0.1, to tunnel.3
  routed (x_dst_ip 10.101.0.1) from untrust (untrust in 0) to tunnel.3
  policy search from zone 1-> zone 1
 policy_flow_search  policy search nat_crt from zone 1-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.101.0.1, port 47853, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 1
  No src xlate ## 2007-12-05 14:58:40 : NHTB entry search no found: vpn none tif tunnel.3 nexthop 10.101.0.1
  packet dropped, no way(tunnel) out

Since the packet is dropped, the IPSEC connection not built.

What did I do wrong?

If there is any information missing, please ask. I'll happily deliver.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

On Wed, Dec 05, 2007 at 03:22:50PM +0100, Marc Haber wrote:
Ok, it looks like somebody recently configured a new tunnel to a
different remote gateway, and also used the "tunnel.3" interface to
bind the new tunnel to, which broke the old one. Moving the new tunnel
to a newly defined tunnel interface fixed mine.

Now, I need to establish a new tunnel to the same remote gateway and
the same remote network:

> set ike gateway "site-to-site-10-101-0-0-new" address 172.16.0.1 \
>     Main outgoing-interface "untrust" \
>     preshare "<snip>" proposal "pre-g2-3des-sha"
> set vpn "site-to-site-10-101-0-0-new" gateway "site-to-site-10-101-0-0" \
>     no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
> set vpn "site-to-site-10-101-0-0-new" id 19 bind interface tunnel.3
> set vpn "site-to-site-10-101-0-0-new" \
>     proxy-id local-ip 10.1.4.0/24 remote-ip 10.101.0.0/24 "ANY"

The new tunnel does not come up with the same error: "packet dropped,
no way(tunnel) out". Only, this time, I need to use the same tunnel
interface since I have the same remote network and therefore need the
same route.

What to do here?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

Hi Marc,
You existing VPN is routing-based, therefore if your new tunnel is going
to the same remote gateway/host, you don't really need to create another
tunnel. I think you just need to create a new policy to specify your
source IP.

Best Regards
Joyce


Marc Haber wrote:

_______________________________________________
nn mailing list
nn@...
http://www.compsoc.com/cgi-bin/mailman/listinfo/nn