Netscreen 5-GT configuring resilience

[jez_convergence]

Hi,

Does anybody have any advice about how to configure Netscreen VPN resilience in a triangular (partial-mesh) configuration.

I have set a Netscreen as dual-untrust with two separate gateways (Ethernet3 as active) and (Ethernet2 in standby). If I test this out the solution works fine and it will switch between the primary/backup VPNs.

The problem I have is on the other Netscreen which only has one gateway. This is set to Trust-Untrust. Initially when I break one of the links on the Dual-Untrust netscreen it cuts over fine and I am able to ping VPN endpoints. If, however the route comes back up from the dual-untrust this will cut over fine. But then I can only ping from the LAN on Dual-Untrust to the LAN of Netscreen with only one gateway. I have tried on the Trust-Untrust device to adjust metrics and preferences for the static routes to remote LAN but this causes strange results during testing. I have made Tunnel1(primary IPsec tunnel) as a lower cost than via tunnel2. I beleive the issue is purely because I have a triangular configuration - but so has the customer after it has left the testing environment.

To summarise I need to be able to recognise when a tunnel is backup on a Trust-Untrust netscreen as I have two tunnels but only one internet gateway.

Any advice from anyone who has ever experienced this would be appreciateds.

[TiG]

I've got Netscreens at work and they are a nightmare and are going as soon as i can get budget to get rid of them, i've never found such annoying flakely VPN hardware. I'll have a think to see how i'd set this up.

TiG

[jez_convergence]

Hi Tig,

Thanks if you can. I also have another issue in that if I set the remote device to Dual-Untrust I can't seem to get internet routing via main site proxy working (with the Trust-Untrust that they had on site before this was not a problem). Basically the way the routing table is laid out changes. If you have any ideas on where I should point a route it would be appreciated.

[TiG]

Jez, I've tried to setup this in detail here when i've had a few spare minutes last night. I can see why you are having these issues but as yet i've not had any brain waves to try and resolve it, don't take it that i've stopped looking but i'm so busy at the moment that i've not had chance to investigate at any other time than later in the evenings. Doing a bit of reconfiguration again tonight on something else so i'll let you know if I make any more progress.

TiG

[jez_convergence]

Hi Tig,

Thanks for your help. I will keep checking for updates. If you want the configuration that I have used I can send it.

Below is what worked in a lab environment. As soon as we used this on site it would not form a tunnel with the far end device:

set clock ntp
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name
set admin password
set admin port 1156
set admin scs password disable username ispace
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet3" zone "Untrust"
set interface "ethernet2" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface ethernet1 ip 193.6.0.254/24
set interface ethernet1 nat
set interface ethernet1 ip 10.110.0.254 255.255.0.0 secondary
set interface ethernet3 ip x.x.x.x/30
set interface ethernet3 route
set interface ethernet2 ip x.x.x.x/30
set interface ethernet2 route
unset interface vlan1 ip
set interface tunnel.1 ip unnumbered interface ethernet3
set interface tunnel.2 ip unnumbered interface ethernet2
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 manage-ip 193.6.0.253
set interface ethernet1 ip manageable
set interface ethernet3 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 manage ssh
set interface ethernet3 manage telnet
set interface ethernet3 manage snmp
set interface ethernet3 manage ssl
set interface ethernet3 manage web
set interface ethernet2 manage ping
set interface ethernet3 monitor track-ip ip
set interface ethernet3 monitor track-ip ip x.x.x.x weight 6
unset interface ethernet3 monitor track-ip dynamic
set flow tcp-mss
set flow all-tcp-mss 1350
unset flow no-tcp-seq-check
unset flow tcp-syn-check
set flow max-frag-pkt-size 1350
set hostname GS_Bristol
set failover enable
set failover auto
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 66.9.50.197
set dns host dns2 217.150.98.3
set address "Trust" "10.110.0.0/16" 10.110.0.0 255.255.0.0
set address "Trust" "193.6.0.0/24" 193.6.0.0 255.255.255.0
set address "Untrust" "10.110.0.0/16" 10.110.0.0 255.255.0.0
set address "Untrust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Untrust" "193.1.0.0/24" 193.1.0.0 255.255.255.0
set ike gateway "Cardiff PrimGW" address 80.83.146.67 Main outgoing-interface "ethernet3" preshare "80SG0GB2N+cm5wswrsCwcujYhLnuCaMdTQ==" proposal "pre-g2-3des-md5"
set ike gateway "Cardiff Bup Gway" address 80.83.146.67 Main outgoing-interface "ethernet2" preshare "80SG0GB2N+cm5wswrsCwcujYhLnuCaMdTQ==" proposal "pre-g2-3des-md5"
set ike respond-bad-spi 1
set ike gateway "Cardiff PrimGW" heartbeat hello 200
set ike gateway "Cardiff PrimGW" heartbeat reconnect 250
set ike gateway "Cardiff Bup Gway" heartbeat hello 200
set ike gateway "Cardiff Bup Gway" heartbeat reconnect 250
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Cardiff Primary" gateway "Cardiff PrimGW" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "Cardiff Primary" id 1 bind interface tunnel.1
set vpn "Cardiff Backup" gateway "Cardiff Bup Gway" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "Cardiff Backup" id 2 bind interface tunnel.2
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 3 from "Untrust" to "Trust" "193.1.0.0/24" "193.6.0.0/24" "ANY" permit
set policy id 3
exit
set policy id 2 from "Trust" to "Untrust" "193.6.0.0/24" "193.1.0.0/24" "ANY" permit
set policy id 2
exit
set policy id 4 from "Trust" to "Untrust" "10.110.0.0/16" "193.1.0.0/24" "ANY" permit
set policy id 4
exit
set policy id 5 from "Untrust" to "Trust" "193.1.0.0/24" "10.110.0.0/16" "ANY" permit
set policy id 5
exit
set policy id 6 from "Untrust" to "Trust" "Any" "Any" "ANY" permit
set policy id 6
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
set ntp server "80.83.144.18"
set ntp server src-interface "ethernet3"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 1440
set ntp max-adjustment 1000
set snmp community "ispace0123" Read-Write Trap-on traffic version v1
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet3 gateway 83.217.115.1 preference 20
set route 0.0.0.0/0 interface ethernet2 gateway 88.151.217.125 preference 20
exit
set vrouter "trust-vr"
unset add-default-route
set route 193.1.0.0/24 interface tunnel.1 preference 20
set route 193.1.0.0/24 interface tunnel.2 preference 20
set route 80.83.146.66/27 interface ethernet3 preference 20
set route 0.0.0.0/0 interface tunnel.1
set route 0.0.0.0/0 interface tunnel.2
set route 80.83.146.64/27 interface ethernet2 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit