Network layout :<\/h3>\n
The Juniper firewall has 3 zones : Public (eth2, connected to the internet, static public IP), LAN (eth1, connected to the LAN) and a separate zone called VPNBuffer, not attached to any interface. This is just an empty zone, a placeholder, so we can create proper policies (instead of defining policies from Public to LAN, we will be able to use policies from VPNBuffer to LAN, thus separating the internet-to-lan traffic policies from the vpn-to-lan policies. It just looks better\u2026 )<\/p>\n All interfaces are in route mode.<\/p>\n In the LAN network, there is a Domain Controller at 192.168.0.6, which will be configured as IAS (Radius) server. (The IAS does not need to be a DC, just a domain member will do)<\/p>\n This is what needs to be done<\/p>\n <\/p>\n Configuration \u2013 Auth \u2013 Auth Servers \u2013 New<\/p>\n <\/p>\n As explained in one of my previous blog posts<\/a>, IAS is a part of Windows Server. At this point, I will assume you have been able to install the IAS Component on your server, and that you have changed the authentication port to 1645, and the accounting port to 1646 (and that you have restarted the IAS service)<\/p>\n Under IAS, open \u201cRadius Clients\u201d, right-click and add a new Radius client. Enter the IP address of the LAN interface of the firewall (192.168.0.30 in our case. Note : if you have defined a manage-ip that is different than the interface IP, you will need to use this IP). Client-Vendor is Radius Standard. Enter the Shared Secret that was entered in the Juniper Auth Server definition. Press Finish to complete the creation of the client.<\/p>\n The final step is to create a policy where you will determine whether a given user should be granted access to VPN or not. You can use Windows AD Groups for this. First, in AD, create a group that will contain your VPN users. <\/p>\n Let\u2019s say we\u2019ll use a group called Juniper.VPN.Users, and added a couple of user accounts in there.<\/p>\n The idea is now to create an IAS policy that will allow members of this group to be granted access.<\/p>\n In IAS, open \u201cRemote Access Policies\u201d and remove any default policies that may be in there. (Just don\u2019t delete the \u201cUse Windows authentication for all users\u201d under \u201cConnection Request Policies\u201d (which can be found under \u201cConnection Request Processing\u201d. <\/p>\n In the \u201cRemote Access Policies\u201d section, right-click and choose \u201cNew remote access policy\u201d.<\/p>\n Click next at the welcome screen. Next, choose \u201cSet up a custom policy\u201d and provide a relevant name<\/p>\n In the Policy Conditions Window, click \u201cAdd\u201d. Select \u201cWindows-Groups\u201d and click \u201cAdd\u201d. Click \u201cAdd\u201d to add your newly created AD group. Click OK to save.<\/p>\n Click next. Select \u201cgrant remote access permission\u201d and click next. <\/p>\n Click \u201cEdit profile\u201d. Go to the authentication tab. Make sure only PAP\/SPAP is selected. In the Advanced Tab, remove the default attributes (Service-Type and Framed Protocol"). Click \u201cAdd\u201d to add a new attribute. Select \u201cVendor-specific\u201d and click Add to add a new attribute. Click Add to add a new value. Set Vendor Code to 3224, select \u201cYes, it conforms\u201d and Click \u201cConfigure Attribute\u201d<\/p>\n In the Configure VSA (RFC Compliant) screen, set Vendor-assigned attribute number to 3, set Attribute format to \u201cstring\u201d and enter a string that will be sent to the Juniper firewall upon succesfull authentication. This string needs to match with the name of an external group that will be created on the Juniper. You are free to pick whatever string you like, but I usually use the name of the AD group (so I know that this group matches with an AD group). So we\u2019ll set the string to \u201cJuniper.VPN.Users\u201d<\/p>\n Click OK to save, Click OK, click Close, click OK. Accept the warning. Click next and click Finish.<\/p>\n At this point, the Windows environment is ready to authenticate VPN users. If you want to set up Radius on a Windows 2008 server instead of 2003, read the next chapter (otherwise, you can skip the next chapter and jump right back to the Juniper configuration)<\/p>\n <\/p>\n Of course, if you are running Windows 2008, you can also use NPS (which replaces IAS) to achieve the same goal. This is how it works :<\/p>\n First, add the required roles on the server that will acts as Radius server. This does not need to be a DC. If the server is part of the domain, it will work just fine<\/p>\n Open Server Manager and add a role<\/p>\n Select Network Policy and Access Services and click next<\/p>\n Click next again<\/p>\n Select Network Policy Server (NPS) and click next<\/p>\n Click Install. Click \u2018close\u2019 when the installation has completed.<\/p>\n Open a MMC and add the NPS snap-in (Local Computer)<\/p>\n First, change the Radius port to 1645. Right-click on NPS (Local) and choose properties<\/p>\n Go to the ports tabsheet and set Authentication to port 1645 only, and accounting to port 1646 only. Click OK to save. use the Action pane on the right to stop and start the NPS service (or use \u201cServices\u201d to restart the NPS service)<\/p>\n Open Radius Clients under NPS (Local) \u2013 RADIUS Clients and Servers, right-click and choose \u2018New Radius Client\u2019<\/p>\n Fill out the name, IP address of the Juniper firewall and set the Shared Secret. Leave the Vendor name as Radius Standard<\/p>\n Open \u201cNetwork Policies\u201d under \u201cPolicies\u201d and remove the 2 default policies called \u201cConnections to Microsoft Routing and Remote Access server\u201d and \u201cConnections to other access servers\u201d (or just make sure they are disabled)<\/p>\n Then, add a new policy<\/p>\n Set a name and leave the type of network access server to Unspecified<\/p>\n Click Next<\/p>\n Under \u201cSpecify Conditions\u201d, click \u201cAdd\u201d and select \u201cWindows Groups\u201d. Click \u201cAdd\u201d again<\/p>\n Click \u201cAdd Groups\u201d and add the AD Group that contains the VPN users (Juniper.VPN.Users in my case)<\/p>\n Click OK<\/p>\n Click Next<\/p>\n Set Access Permission to \u201cAccess granted\u201d and click Next<\/p>\n Authentication methods : deselect everything, except PAP, SPAP<\/p>\n Click Next. Click \u201cNo\u201d when asked to see the corresponding Help Topic<\/p>\n Constraints : do not set constraints (unless you know what you are doing). Just Click next<\/p>\n Configure Settings : Under \u201cStandard\u201d, remove the Framed-Protocol and Service-Type Attributes<\/p>\n Go to Vendor Specific and click Add<\/p>\n Set Vendor to All and select \u201cVendor-Specific\u201d from the list. Click Add<\/p>\n Click Add again<\/p>\n Set Vendor Code to 3224. Select Yes. It Conforms<\/p>\n Click \u201cConfigure Attribute\u201d<\/p>\n Set attribute number to 3, set format to String, and set Value to Juniper.VPN.Users<\/p>\n Click OK<\/p>\n Click OK again<\/p>\n Verify that the new attribute is in the list and click OK again<\/p>\n Click Close<\/p>\n Click Next. Review the configuration settings<\/p>\n Click Finish<\/p>\n That\u2019s it<\/p>\n <\/p>\n <\/p>\n The goal is to assign IP addresses to Netscreen remote clients upon connecting to the Juniper via VPN. We\u2019ll have to create an IP Pool for this. We will use 192.168.99.1-192.168.99.254 (which is in fact the 192.168.99.0\/24 network) :<\/p>\n Objects \u2013 IP Pools \u2013 New<\/p>\n Note : this IP Pool should not overlap with any addresses in your network !<\/p>\n <\/p>\n We will use route based VPN, so we need to create a tunnel interface. This will allow us maximum flexibility, will allow us to put the VPN endpoint in the VPNBuffer zone, etc :<\/p>\n <\/p>\n<\/p>\n<\/p>\n The IP Pool that we have created needs to be reachable. So we need to create proper routing. In fact, we need to send traffic towards the 192.168.99.0\/24 network towards the new tunnel interface :<\/p>\n In addition to the route on the Juniper, all networks behind the Juniper need to be able to route back to the Juniper firewall in order to be communicate with hosts in the 192.168.99.0\/24 network. We\u2019ll assume that all hosts in the 192.168.1.0\/24 network use the Cisco router as default gateway, and the Cisco is configured to route everything to the Juniper firewall. The Juniper firewall, in return, must have a route towards the 192.168.1.0\/24 network, pointing to the Cisco.<\/p>\n Ok, routing looks good, let\u2019s continue with the Juniper setup<\/p>\n <\/p>\n We\u2019ll have to define an IKE user which will be used\/shared by all Netscreen Remote clients. This will allow the client to set up Phase 1 of the VPN connection. Since we want to allow multiple users to use the same IKE user at the same time, we\u2019ll need to put this IKE user in a user group and set the number of simultaneous connections to a number larger than 1<\/p>\n This is how it works :<\/p>\n Objects \u2013 Users \u2013 Local \u2013 New<\/p>\n Set the username, select IKE User and Simple Identity. Make sure the User Name and IKE Identity are the same.<\/p>\n Set the number of multiple logins to something higher than 1 (max. value is 25, if you need more, you\u2019ll need to create multiple IKE users and spread the IKE users over your remote user base)<\/p>\n Set IKE ID Type to AUTO. Click OK to save<\/p>\n Next, create a group and place the ike user(s) in the group<\/p>\n Objects \u2013 Users \u2013 Local Groups \u2013 New<\/p>\n <\/p>\n Next, go to Objects \u2013 Users \u2013 External Groups \u2013 New<\/p>\n The name of the group needs to match exactly with the value of the string that will be passed back from the Radius server upon authenticating. This may or may not be the same name as the AD group (depending on how you have configured the attributes in IAS). We have chosen to use the same name as the AD group name, which is Juniper.VPN.Users<\/p>\n Set the type to XAuth and press OK to save<\/p>\n <\/p>\n VPNs \u2013 AutoKey Advances \u2013 XAuth Settings<\/p>\n Set Authentication server to the Auth Server entry that was created earlier<\/p>\n Select the IP Pool and enter DNS\/WINS settings. You need to set this because there is no other way to assign IP addresses to your VPN clients. If you don\u2019t assign IP addresses, you will have lots of troubles getting the routing between VPN clients and your hosts to work properly. <\/p>\n <\/p>\n <\/p>\n VPNs \u2013 AutoKey Advanced \u2013 Gateway \u2013 New<\/p>\n Pick a name, select Dialup User Group and select the newly created IKE group<\/p>\n Click Advanced<\/p>\n Set the PreShared Key<\/p>\n Select the outgoing interface (which needs to be the public interface, so in our case this is eth0\/2). Set the Security Level to custom and select \u201cpre-g2-aes128-sha).<\/p>\n Set the Mode to Aggressive. Enable NAT-T (this may not be required though \u2013 it depends on your setup)<\/p>\n Click Return and then OK to save<\/p>\n You may receive a similar warning :<\/p>\n Click OK to accept. You should see the new Phase1 definition now. Click on the Xauth link next to your new Phase1<\/p>\n Select XAuth Server, and set the Authentication type to Generic.<\/p>\n Enable External Authentication and pick the Auth server (for Radius) from the list<\/p>\n Select User Group and fill out the group name<\/p>\n Click OK to save<\/p>\n <\/p>\n Go to VPNs \u2013 Autokey IKE \u2013 New<\/p>\n Set a new name and pick the Predefined Phase 1 that was created earlier<\/p>\n Click Advanced<\/p>\n Security Level : set to Custom and select g2-esp-aes128-sha from the list.<\/p>\n Enable Replay protection. Bind the VPN to the tunnel interface that was created earlier. (tunnel.3 in our case)<\/p>\n Enable proxy ID. Set Local IP to 192.168.0.0\/16 and Remote IP to 255.255.255.255\/32<\/p>\n Make sure Service is set to ANY<\/p>\n Click Return and then OK to save<\/p>\n <\/p>\n We want to allow remote clients to access 192.168.0.6 and 192.168.1.8<\/p>\n Since the tunnel interface is in zone VPN, we need a policy from VPNBuffer to LAN<\/p>\n We\u2019ll create some objects first<\/p>\n Next, create the policy (from VPNBuffer to LAN)<\/p>\n Source : NetscreenRemoteUsers<\/p>\n Destination : server1 (don\u2019t add server2 yet)<\/p>\n Action : Permit (not tunnel ! We are using route based VPN, so action must be permit)<\/p>\n (screenshot contains entry for server2, but let\u2019s assume it\u2019s not there yet) <\/p>\n That\u2019s it. We are now ready to configure the Netscreen Remote clients<\/p>\n <\/p>\n <\/p>\n In the Security Policy Editor, create a new connection<\/p>\n Give the new connection a name (such as VPN to company)<\/p>\n Set the connection security settings to \u201cSecure\u201d and enable \u201cOnly connect manually\u201d<\/p>\n Remote party ID : enter the IP subnet that is used in the Local IP Proxy ID of Phase 2<\/p>\n Enable Use Secure Gateway Tunnel and Set the IP Address to the public IP of the Juniper VPN (which is 1.1.1.1) in our case<\/p>\n Next, click on the + (plus) symbol next to the new \u201cVPN to company\u201d connection and select \u201cMy Identity\u201d<\/p>\n Set Certificate to None. Set ID Type to Domain Name and fill out the IKE identity\/IKE username string from the IKE user that was created earlier.<\/p>\n Click Pre-Shared Key and enter the Pre-Shared Key that was used when defining Phase 1<\/p>\n On the left hand side, select Security Policy<\/p>\n Select \u201cAggressive Mode\u201d, enable PFS (DH Group2) and Enable Replay Detection<\/p>\n Open \u201cAuthentication (Phase 1)\u201d, and select Proposal 1<\/p>\n Set authentication mode to Pre-Shared Key and Extended Authentication<\/p>\n Set Encrypt Alg to AES-128 and Hash alg to SHA-1<\/p>\n Set SA Life to seconds and enter 28800<\/p>\n Set Key Group to DH Group 2<\/p>\n On the left side, open \u201cKey Exchange (Phase 2)\u201d and select Proposal 1<\/p>\n Set SA Life to Seconds and enter 3600<\/p>\n Leave compression to none. Enable ESP, set Encrypt Alg to AES-128 and Hash alg to SHA-1. Encapsulation = Tunnel. Leave AH (Authentication Protocol) disabled<\/p>\n Save the settings<\/p>\n <\/p>\n Try to connect : right-click on the Netscreen Remote Icon, choose \u201cConnect\u201d and select the new connection<\/p>\n You should get a User Authentication prompt. Enter a username (DOMAIN\\User or just the username) and the password of an account that is member of the AD Group<\/p>\n If you would have done a \u201cdebug auth radius\u201d on the firewall while the Radius authentication took place, you should see that authentication was successful and that the XAuth group matches with the group that was passed back by the Radius server.<\/p>\n <\/p>\n Verify the VPN connection on the Juniper :<\/p>\n <\/p>\n Verify the XAuth sessions and verify that an IP was assigned to the VPN session :<\/p>\n <\/p>\n Verify that the client can access resources in all networks :<\/p>\n Verify that it cannot access networks that are not allowed by the policy<\/p>\n Adjust the policy, add the 192.168.1.8\/32 host (Server2) as allowed destination and see if traffic to the second network works as well :<\/p>\n![\"image\"](\"\/wp-content\/uploads\/2009\/01\/image123.png\" "\\"image\\"")
<\/a> <\/p>\n\n
\n
Configure auth server<\/h3>\n
<\/a> <\/p>\n\n
Windows 2003 : Set up IAS\/Radius<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\nWindows 2008 : Set up NPS\/Radius<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a><\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\nJuniper : Define IP Pool \/ Subnet<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\nJuniper : create tunnel interface<\/h3>\n
set int tunnel.3 zone VPNBuffer\nset int tunnel.3 ip unnumbered interface eth0\/2\n\nget int tun.3\nInterface tunnel.3:\n description tunnel.3\n number 20, if_info 1784, if_index 3, mode route\n link down\n vsys Root, zone VPNBuffer, vr trust-vr\n admin mtu 1500, operating mtu 1500, default mtu 1500\n *ip 0.0.0.0\/0 unnumbered, source interface ethernet0\/2\n *manage ip 0.0.0.0\n pmtu-v4 disabled\n ping disabled, telnet disabled, SSH disabled, SNMP disabled\n web disabled, ident-reset disabled, SSL disabled\n\n OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled\n PIM: not configured IGMP not configured\n MLD not configured\n NHRP disabled\n bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]\n configured ingress mbw 0kbps, current bw 0kbps\n total allocated gbw 0kbps<\/pre>\n<\/div>\n
Juniper : set up routing<\/h3>\n
fw03-><\/span> set route 192.168.99.0\/24 int tun.3\nfw03-><\/span> get route | incl 192.168.99\n 91 192.168.99.0\/24 tun.3 0.0.0.0 S 20 1 Root<\/pre>\n<\/div>\nfw03-><\/span> get route ip 192.168.1.1\n Dest for 192.168.1.1\n--------------------------------------------------------------------------------------\ntrust-vr : =><\/span> 192.168.1.0\/24 (id=87) via 192.168.0.8 (vr: trust-vr)\n Interface ethernet0\/1 , metric 0<\/pre>\n<\/div>\nJuniper : Define IKE user\/group and External Group for XAuth via Radius<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\nJuniper : set XAuth Defaults<\/h3>\n
<\/a><\/p>\nJuniper : Configure Phase 1<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\nJuniper : Configure Phase 2<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\nJuniper : Configure Policies<\/h3>\n
fw03-><\/span> set address VPNBuffer NetscreenRemoteUsers 192.168.99.0\/24\nfw03-><\/span> set address LAN Server1 192.168.0.6\/32\nfw03-><\/span> set address LAN Server2 192.168.1.8\/32<\/pre>\n<\/div>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a><\/p>\nClient : Configure Netscreen Remote<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\nClient : Connect<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n## 2009-01-22 21:41:12 : rad_parse() = rad_msg=0x02f50874{code=2, id=6, ...}\n## 2009-01-22 21:41:12 : RadiusRecv: checking j:socket 75, socipv6 -1, sock 75, j:rad_id 6, rad_msg-><\/span>id 6\n## 2009-01-22 21:41:12 : RadiusRecv: Breaking for sock 75\n## 2009-01-22 21:41:12 : is_resp_authenticator_valid: Valid Response authenticator\n## 2009-01-22 21:41:12 : RadiusRecv: data on socket 75 for aq_ent 0x428db94, state 0x2, curr_server 1, curr_active 1\n## 2009-01-22 21:41:12 : >>><\/span> rad_recv_auth(soc=3965916)\n## 2009-01-22 21:41:12 : rad_attr_store_groups:adding first Juniper.VPN.Users\n## 2009-01-22 21:41:12 : <<<<\/span> rad_recv_auth() = rad_auth_resp=0x043123b0{authed=1 priv=0 role=0 id=6}\n## 2009-01-22 21:41:12 : is_resp_authenticator_valid: Valid Response authenticator\n## 2009-01-22 21:41:12 : radius_recv_auth_resp: RESPONSE AUTH VALID (was a Accept)\n## 2009-01-22 21:41:12 : group_check_ok: ugx_name Juniper.VPN.Users, group_item_ptr 0x2c4f914, username corelan\\peter\n## 2009-01-22 21:41:12 : is_rad_group_in: compare Juniper.VPN.Users with Juniper.VPN.Users\n## 2009-01-22 21:41:12 : MATCHED<\/font><\/strong>\n## 2009-01-22 21:41:12 : group_check_ok: ext group Juniper.VPN.Users present\n## 2009-01-22 21:41:12 : radius_recv_auth_resp: auth 0x428db94, id 6, GROUP MATCHED have Juniper.VPN.Users\n## 2009-01-22 21:41:12 : radius_recv_auth_resp: auth 0x428db94, id 6, AUTHENTICATED\n## 2009-01-22 21:41:12 : rad_groups_free: freeing: next_item_ptr-><\/span>group_name Juniper.VPN.Users\n## 2009-01-22 21:41:12 : >>><\/span> RadiusRecv(aq_ent={un='corelan\\peter', fl=3, as_id=2, rt=0, rt1=0, rt2=0})\n## 2009-01-22 21:41:12 : <<<<\/span> RadiusRecv(aq_ent={rad_state=7}) = 1\n## 2009-01-22 21:41:12 : RadiusRecv: result 1\n## 2009-01-22 21:41:12 : get_auth_radius_clnt_session_id: entered<\/pre>\n<\/div>\nfw03-><\/span> get ike cookies \n\nIKEv1 SA -- Active: 1, Dead: 0, Total 1\n\n1097182f\/0006, 1.1.1.2:500-><\/span>1.1.1.1:500, PRESHR\/grp2\/AES128\/SHA, xchg(5) (IKE_NetscreenRemote\/grp7\/usr10)\nresent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 28484 cert-expire 0\nresponder, err cnt 0, send dir 1, cond 0x30\nnat-traversal map not available\nike heartbeat : disabled\nike heartbeat last rcv time: 0\nike heartbeat last snd time: 0\nXAUTH status: 100\nDPD seq local 0, peer 762132764\n\nIKEv2 SA -- Active: 0, Dead: 0, Total 0\n\nfw03-><\/span> get sa active\nTotal active sa: 1\ntotal configured sa: 2\nHEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys\n00008001<<\/span> 1.1.1.2 500 esp:a128\/sha1 a12260dd 3289 unlim A\/- -1 0\n00008001><\/span> 1.1.1.2 500 esp:a128\/sha1 1259e395 3289 unlim A\/- -1 0\n\nfw03-><\/span> get sa id 0x8001\nindex 2, name ESP_NetscreenRemote, peer gateway ip 1.1.1.2. vsys<<\/span>Root<\/span>><\/span>\nauto key. tunnel if binding node, tunnel mode, policy id in:<<\/span>-1<\/span>><\/span> out:<<\/span>-1<\/span>><\/span>\nid hash: ><\/span>00><\/span>ce><\/span>69><\/span>fb><\/span>fb><\/span>e3><\/span>2d><\/span>0e><\/span>76><\/span>44><\/span>4b><\/span>67><\/span>3c><\/span>9a><\/span>fa><\/span>0d><\/span>43><\/span>79><\/span>6d><\/span>b1\n vpngrp:<<\/span>-1<\/span>><\/span>. sa_list_nxt:<<\/span>8<\/span>><\/span>. parent_sa_id:<<\/span>8<\/span>><\/span>.\ntunnel id 32769, peer id 0, NSRP Local. dialup, dynamic member. site-to-site. Local interface is ethernet0\/2 <<\/span>1.1.1.1<\/span>><\/span>.\n esp, group 2, a128 encryption, sha1 authentication\n autokey, IN active, OUT active\n monitor<<\/span>0<\/span>><\/span>, latency: 0, availability: 0\n DF bit: clear\n app_sa_flags: 0x2400437\n proxy id: local 192.168.0.0\/255.255.0.0, remote 192.168.99.1\/255.255.255.255, proto 0, port 0\n ike activity timestamp: 887422404\n DSCP-mark : disabled\nnat-traversal map not available\nincoming: SPI a12260dd, flag 00004000, tunnel info 40008001, pipeline\n life 3600 sec, 3282 remain, 0 kb, 0 bytes remain\n anti-replay on, last 0x6, window 0x3f, idle timeout value <<\/span>0<\/span>><\/span>, idled 280 seconds\n next pak sequence number: 0x0\n bytes\/paks:360\/6; sw bytes\/paks:360\/6\noutgoing: SPI 1259e395, flag 00000000, tunnel info 40008001, pipeline\n life 3600 sec, 3282 remain, 0 kb, 0 bytes remain\n anti-replay on, last 0x0, window 0x0, idle timeout value <<\/span>0<\/span>><\/span>, idled 318 seconds\n next pak sequence number: 0x0\n bytes\/paks:0\/0; sw bytes\/paks:0\/0<\/pre>\n<\/div>\nfw03-><\/span> get xauth active\n\nGW Name Login Auth By GW IP Private IP Last Login Session Timeout Idle Timeout\nIKE_NetscreenRemote corelan\\peter AD Radius 1.1.1.2 192.168.99.1 255.255.255.255 2009-01-22 21:13:10 0 0 <\/pre>\n<\/div>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a><\/p>\n