# Netscreen?

## alu

Hello everybody !

I'm new too these forums and this is my first post   :Laughing: 

My school uses netscreen -remote, a kind of VPN. I got permission too try and use our VPN with linux. The only problem is i cant get any VPN's clients on linux too run. (Freeswan/openswan/IPSec)

Anybody got a great guide or can walk me trough the setup of the VPN client and the configuration of the VPN -> Netscreen server ?

Please help me on this   :Shocked: 

// alucar[D]^

----------

## alu

Comeone, surley someone knows how this is done.

----------

## sawyert

I have no idea what kind of firewall we use at work, but I can connect to it using pptp-client.

http://pptpclient.sourceforge.net/

Tim.

----------

## nielchiano

got already any more clues on netscreen?

----------

## alu

dammit! We use netscreen in school too VPN our connection :S

No Netscreen, No Internet. :[

I really need some help with this...

Isent there something for this? Netscreen for linux don't exist, i think :[

Damn software, costs money :'(

/alu

----------

## nielchiano

 *alu wrote:*   

> dammit! We use netscreen in school too VPN our connection :S
> 
> No Netscreen, No Internet. :[

 

join the club... I need it too... but no clues yet... I might ask our helpdesk; but I'll have to wait 3 months (summer-vacation)

----------

## alu

*bump*

sorry, really would like this answered..

----------

## alu

*bump*

----------

## coax

Yeah, I would like to know too. I did hear about someone being able to create a site to site vpn from an Astaro to a Netscreen. Since Astaro is based on Linux ...

Anyway, how about openswan? I read about people getting it to work, apparently.

----------

## chovy

is this "Netscreen" the Juniper VPN?

We use it at work too and I'm unable to figure out how to use it on linux from home.

I have $HOME/.juniper_networks/ which contain some scripts, but none of 'em do anything, as far as I can tell.

When I googlge the script names, I get 0 results:

```
~/.juniper_networks/network_connect:

installNC.sh

xlaunchNC.sh

ncui
```

----------

## santo

Me too. 

We recently switched to Juniper, which is (almost) completely browser based.

With firefox, I can login without problems (after having symlinked some required libs),

but that's it.

I just can't access any machine at the office   :Crying or Very sad: 

any help appreciated

----------

## chovy

can we merge these two threads if they are related to Juniper VPN?

https://forums.gentoo.org/viewtopic.php?p=2884846#2884846

----------

## alu

Well, the netscreen we use is a program that uses vpn. Not something browser-based.

I heard there is a client for red-hat, maybe i could port it? Haven't been able to fint it though..

----------

## alu

*bump*

----------

## chovy

no idea...I'm still looking for the steps to get juniper vpn client to work with linux.

----------

## Daxtar

Hi threre,

i just have to wait until my fastest hell machine laptop (300 Mhz) has done compiling the kernel (waiting.... waiting...), and after that, I'll try strongswan to establish an IPSec tunnel to my office. I have idea of strongswan vs. freeswan, but I'll start with strongswan to see if it's working...

as windows client I used to connect with Safenet's ipsec client, this is the one netscreen / juniper are selling as branded software..

greetings, Daxtar

----------

## Daxtar

Feature comparison between strongSwan and openswan

http://www.strongswan.org/

so I'd rather start with openswan, I think I need agressive mode....

----------

## cdunham

 *alu wrote:*   

> Comeone, surley someone knows how this is done.

 

Yes, and stop calling me "Shirley".

I found this helpful: http://www.prolixium.com/netscreen_linux.php

My situation is a bit different than yours, connecting my home net to the office LAN. In this case, I set up the IKE Autokey and IKE Gateway in Aggressive mode, using a pre-shared key, and racoon on a Gentoo box behind by Linksys NAT box (192.168.5.100).

The useful part of racoon.conf (1.2.3.4 represents my home public IP, 4.3.2.1 the office's):

```

path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

log notify;

padding

{

        maximum_length 20;      # maximum padding length.

        randomize off;          # enable randomize length.

        strict_check off;       # enable strict check.

        exclusive_tail off;     # extract last one octet.

}

listen

{

        isakmp 192.168.5.100 [500];

        isakmp_natt 192.168.5.100 [4500];

}

timer

{

        # These value can be changed per remote node.

        counter 5;              # maximum trying count to send.

        interval 20 sec;        # maximum interval to resend.

        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.

        phase1 30 sec;

        phase2 15 sec;

}

remote 4.3.2.1 {

        exchange_mode aggressive;

        doi ipsec_doi;

        nat_traversal on;

        my_identifier address 1.2.3.4;

        proposal {

                encryption_algorithm aes;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo address 192.168.5.0/24 any address 192.168.30.0/24 any {

        pfs_group 2;

        lifetime time 4 hour;

        encryption_algorithm aes;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

```

The useful part of ipsec.conf:

```
#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 192.168.5.0/24 192.168.30.0/24 any

    -P out ipsec esp/tunnel/192.168.5.100-4.3.2.1/require;

spdadd 192.168.30.0/24 192.168.5.0/24 any

    -P in ipsec esp/tunnel/4.3.2.1-192.168.5.100/require;

```

One thing I'm trying to figure out now is how to get the office Netscreen to route through other VPN links to oter sites, so I can do a hub-and-spoke, rather than set up links from home everywhere else.

----------

## Daxtar

Hi There,

meanwhile I was successfull, too...

But I used Openswan instead of racoon...

I want my notebook connect to a Netscreen 5xp Box using IPsec

The Netscreen config is 

  - agrressive mode tunnel

  - Ike, Diffie-Hellman group 2, 3des-md5, Preshared Key

  - nopfs-3des-md5 ESP 

the /etc/ipsec/ipsec.conf (openswan) is this:

```

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.4/ipsec.conf-sample

# Manual:     ipsec.conf.5

version   2.0   # conforms to second version of ipsec.conf specification

# basic configuration

config setup

   # plutodebug / klipsdebug = "all", "none" or a combation from below:

   # "raw crypt parsing emitting control klips pfkey natt x509 private"

   # eg:

   # plutodebug="control parsing"

    plutodebug="pfkey"

   nat_traversal=yes

   interfaces=%defaultroute

   # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

# sample VPN connection

conn my_conn

   type=tunnel

   left=%defaultroute

   leftid=MYIDENTITY

   right=netscreen.ip.adress

   rightsubnet=subnet.behind.netscreen/24

   rightid=netscreen.ip.adress

   rightnexthop=%defaultroute

   aggrmode=yes

   auto=add

   pfs=no

   auth=esp

   authby=secret

   ike=3des-md5-modp1024

   esp=3des-md5

   compress=no

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

of course I need a /etc/ipsec/ipsec.secrets like this:

```

MYIDENTITY netscreen.ip.adress : PSK "you_will_never_get_in_here"

```

you will need some kernel modules to be compiled, but I was told by

/etc/init.d/ipsec start

which ones are missing...

once started, the vpn tunnel is established by

ipsec auto --up my_conn

to shutdow the tunnel I use

ipsec auto --down my_conn

----------

## alu

Daxtar,

I'm getting the message:

036 "my_conn" #11: can not initiate aggressive mode, at most one algorithm may be provided

Any idea why? My netscreen box has the same setup as you.

My ipsec.conf:

```

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

   plutodebug="pfkey"

   nat_traversal=yes

   interfaces=%defaultroute

#Skolan NetScreen

conn my_conn

   type=tunnel

   left=%defaultroute

   leftid=101

   right=10.232.8.1

   rightsubnet=255.255.252.0/22

   rightid=10.232.8.1

   rightnexthop=%defaultroute

   aggrmode=yes

   keyexchange=ike

   auto=add

   pfs=no

   auth=esp

   authby=secret

   ike=des-md5-modp1024

   esp=des-md5

   compress=no

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

----------

## Daxtar

sorry, no idea so far...

 *Quote:*   

> can not initiate aggressive mode, at most one algorithm may be provided

 

perhaps des-md5-modp1024 fails to be a valid encryption algorithm ?

----------

## alu

It should work. It's what i need!Last edited by alu on Mon Jun 05, 2006 3:22 pm; edited 1 time in total

----------

## kallikap

http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c190746e

----------

## alu

It is possible. That page is old.

----------

## clockwise

same situation here, but having library problems.

tried running the client from the command line and from the browser and it asks for the same library.

```
./ncui -h work.net -u username -p password -r work

./ncui: error while loading shared libraries: libstdc++-libc6.2-2.so.3: cannot open shared object file: No such file or directory
```

linking the previous libraries worked, so i tried a similar approach

```
sudo ln -s  /usr/lib/libstdc++-v3/libstdc++.so.5.0.6 /lib/libstdc++-libc6.2-2.so.3
```

but that results in this

```
./ncui -h work.net -u username -p password -r work

./ncui: symbol lookup error: ./ncui: undefined symbol: __builtin_new
```

where can i get the right version of the library? instructions i've found suggest that apt users can get 'libstdc++2.10-glibc2.2' and the equivalent rpm is 'compat-libstdc++-296'.

----EDIT----

answered my own question...

```
emerge -p lib-compat
```

----------

