Peter Van Eeckhoutte's Blog

Posts Tagged ‘vpn’

ike-scan is a great tool to audit VPN/IPSec implementations.  This tool, which runs under Lunix, Unix, MacOS and Windows, can be found at www.nta-monitor.com/tools/ike-scan/ (Latest version at time of writing is 1.9). My Nessus ike-scan NASL wrapper may or may not work with earlier versions or newer versions, so test test test)

Some of the great features of ike-scan include extracting the PSK, or transform attributes to find all algorithms that are enabled on a device. Especially this last function may require some scripting and lots of time to go through the log files in order to see whether your solution is configured the way it should be configured.

So I decided to write a nessus nasl plugin to run ike-scans.

The plugin is in fact a wrapper around ike-scan and will parse the output, looking for specific settings :

Does the VPN …

The following procedure explains how to set up a Juniper ScreenOS based firewall to accept Netscreen Remote Client VPN connections and authenticate users using Active Directory (Radius via Windows 2003 IAS or Windows 2008 NPS). 
We’ll assume that all traffic to from the client to the 192.168.0.0/16 networks needs to pass via the client VPN tunnel.  Clients will use dynamic IP addresses (either public or behind a nat router that is capable of handling IPSec passthrough)
The VPN connection must use the following encryption and hashing parameters  and PSK :

Phase 1 :  aes-128, sha-1, DH Group2, PSK : This1sNot4GoodPSK3y
Phase 2 :  aes-128, sha-1, replay protection, PFS with DH Group2

Network layout :

The Juniper firewall has 3 zones : Public (eth2, …

Before looking at the various configuration steps, we’ll have to take the following assumptions into account : – We don’t want to use the Netscreen Remote client, but we want to use the Windows XP built-in dialup VPN technology that allows us to build PPTP or L2TP/IPSec connections.  Juniper screenOS does not support PPTP (which is not as safe as IPSec anyway) – The XP clients will have dynamic IP’s. They are either directly connected to the internet, or connected behind a firewall/router that is capable of forwarding ESP packets. Keep in mind that nat-traversal cannot be used.  (So if the client is behind a NAT router, it will not work out of the box (because it will try to send fqdn as peer ID instead of IP address).  There is a fix, but it requires you to …

In this blog post, I will show you how to set up a IPSec VPN tunnel between a Windows Server and a Juniper ScreenOS based firewall and route traffic between hosts that are located behind these 2 VPN gateways. The Windows Server will acts as a gateway to build a VPN tunnel towards the Juniper firewall, so the hosts behind the Windows Server can access hosts behind the Juniper firewall. We’ll assume the following network layout : Network 192.168.10.0/24 is located behind a multi-homed Windows 2008 Server (2 network interfaces, one with a private IP (192.168.10.254) and one with an internet public IP (I’ll use 192.168.0.0/24 as ‘internet’, so the ‘public’ IP of the …

A few days ago, I have posted some ScreenOS basics on this blog. Today, it is time to take it one step further and to look at setting up and especially troubleshooting IPSec VPN’s with Juniper Netscreen devices. The need for VPN A VPN can be defined as the simulation of a private connection by tunneling traffic between 2 private locations.  The mail tunneling protocols are L2TP, GRE and IPSec. If we want to tunnel traffic over a public network, we are faced with some issues. We want to keep the date secure & hidden (confidentiality), we need to ensure that data has not been changed (integrity) and we’d like to make sure that the data really comes from the advertised source (authentication). What are the available solutions for these 3 challenges ? …

Today, I will explain the (easy) steps to set up a route-based IPSec VPN tunnel between a Juniper Netscreen firewall/VPN device and a remote Cisco device (such as Cisco ASA) If you are looking for more generic information on IPSec and building VPNs with Juniper, take a look at my blog post on VPNs with Juniper netscreen : Building IPSec VPN with Juniper Netscreen ScreenOS (CJFV) The example network used in this explanation looks like this :    These are our goals : Set …