Author Topic: Setting up a L2TP VPN on the SSG5  (Read 19172 times)

remino

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Setting up a L2TP VPN on the SSG5
« on: August 01, 2008, 07:11:17 pm »
Hi,

I'm new here and I need someone's help.  I can't say I'm an expert at configuring routers, but I can work my way around our SSG5 router.  Please bare with me!

I simply need to set a VPN on the router to let some people from outside access our LAN.  We don't need any fancy authentication: just one username and password for all will be fine.

I tried setting up our Windows Server 2003 as a PPTP VPN server, but while I can connect to it with VPN clients, the server somehow cannot relay DHCP calls to our router.  I find that very odd, since all our workstations can work with our router's DHCP service.  Anyway, I gave up trying to configure Windows Server 2003.

We have two DSL connections, on ethernet0/0 and ethernet0/1.  They are both in the Untrust zone and do not belong to any group.  The ports ethernet0/4 to 0/6 and wireless0/0 and 0/1 are all part of the bgroup0.  They are in the Trust zone and constitute the local gateway, at IP address 192.168.1.1.

After running the wizard with different options and ways to configure the VPN, I can't seem to figure it out.  Once the setup is done, I try to connect to our new VPN using a computer outside our LAN and it can't connect.

Is there anyone out there who can help a novice like me?  Maybe a tutorial or a how-to, or just a few pointers could help.

Thanks in advance!
« Last Edit: August 01, 2008, 07:13:38 pm by remino »


NS/XP

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Re: Setting up a L2TP VPN on the SSG5
« Reply #1 on: August 02, 2008, 01:09:31 pm »
For an step by step dialup VPN config I would recommend

VPN & Netscreen Romote

or

VPN & Windows native client

Best regards
« Last Edit: August 02, 2008, 01:15:06 pm by NS/XP »

remino

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Setting up a L2TP VPN on the SSG5
« Reply #2 on: August 02, 2008, 02:49:35 pm »
Thanks, NS/XP, but this is not working for me.

Here's is what I've done so far on my SSG5 firewall/router:

1. Create user "vpnuser" in Objects > Users > Local.  User Name: vpnuser.  Status: Enable.  IKE User: Checked.  Simple Identity: Selected.  IKE ID Type: Auto.  IKE Identity: vpnuser.  Authentication User: Checked.  User Password and Confirm Password: Both specified.

2. Create new "vpngw" gateway in VPNs > AutoKey Advanced > Gateway.  Gateway Name: vpngw.  Security Level: Custom.  Dialup User: vpnuser.  Preshared Key: Specified.

3. Modified advanced settings for "vpngw" gateway.  Security Level, User Defined, Custom: Selected.  Phase 1 Proposal: rsa-g2-aes128-sha, dsa-g2-aes128-sha.  Mode (Initiator): Aggressive.

4. Created new VPN "vpn" in VPNs > AutoKey IKE.  VPN Name: vpn.  Security Level: Custom.  Remote Gateway, Predefined: vpngw.

5. Modified advanced settings for "vpn".  Security Level, User Defined, Custom: Selected.  Phase 2 Proposal: g2-esp-aes128-sha.  Replay Protection: Checked.  VPN Monitor: Checked.

6. Added Policy from Untrust to Trust.   Source Address, Address Book Entry: Any.  Destination Address, Address Book Entry: Dial-Up VPN.  Action: Tunnel.  Tunnel, VPN: vpn.  Tunnel, Modify matching bidirection policy: Checked.  Logging: Checked.

7. Verify Policy from Trust to Untrust.  (Automatically generated by checked the "Modify matching bidirection policy" mentioned above.)  Source Address, Address Book Entry: Dial-Up VPN.  Destination Address, Address Book Entry: Any.  Action: Tunnel.  Tunnel, VPN: vpn.  Logging: Checked.

8. Create VPN client connection on my Mac (using Mac OS X 10.5) in System Preferences > Network and click "+" button ("Create a new service") to add VPN (L2TP).

9. Configure connection.  Add configuration by clicking Configuration > New Configuration.  Specified external IP address of router and username "vpnuser".  In "Authentication Settings," added user password and shared secret.

10. Click "Apply", then "Connect."

When I connect, it simply tells me it can't do so, after trying for a few seconds.  When I check the file "ppp.log" in Console.app, I only get the following details, which are not helpful:

Sat Aug  2 16:39:12 2008 : IPSec connection started
Sat Aug  2 16:39:22 2008 : IPSec connection failed

I tried following a tutorial for setting a VPN up with certificates which I found on this site, but it didn't work.  (After generating a certificate using the router's CSR, I get no means to specify the certificate is for a VPN server.)

So, any ideas?

NS/XP

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Re: Setting up a L2TP VPN on the SSG5
« Reply #3 on: August 03, 2008, 04:41:34 am »
Obviously you are using a Mac. As I got through the endless troubles of establishing a connection using the standard Mac client for a colleague of mine I switched over to the free IPSecuritas client. If I remember correctly there is a thread in this forum where someone also asked technichal support about the not-connecting-problem in this scenario and the only answer was "... but it should work ...". Ah here it is.

So take 1 minute to download the client and further 15 to configure IPSecuritas and the SSG device an get around headaches.

Best regards.
« Last Edit: August 03, 2008, 04:43:52 am by NS/XP »