Re: [nn] L2TP Dialup

To:	"Kai Krebber" <Kai.Krebber@krick.net>
Subject:	Re: [nn] L2TP Dialup
From:	"Jeffy Koh" <jeffy.koh@gmail.com>
Date:	Wed, 7 Mar 2007 21:39:12 +0800
Cc:	John Cameron <John.Cameron@brennanit.com.au>, nn@qorbit.net
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=phkkA8EopFNk1Imo8US4J7TJix78nN/8eRHD+NmY5A7BR6MDB3Xn7yzyX1QrNkbwubMrbYhoMVwr76Dle8Ro8FWkmUbUuakG/N8klkDlAAyThsDhbYoEBWMT5itx3jbugrr7R38HFMLP/vO+l1n7/5JWDUosulGNzs0RCfJ9s1k=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=dPbdPXnCBu6zRBOJGWhKyOUEXvyHK4G4nZEZwRgP7rADls/De7k7IyCIMjDXhM0NGzOhV7Jd+jsfzlKf6L62YkN/PXxoIiDh4aHwjulqegjoAlMb8d02OazDViCru3M684Ebb3Kj/+kMRPexPby1XImpAgqb9r3Y28DUbz5EUGg=
In-reply-to:	<9E95C5444EC75B46A6969567E9E8BC520140958B@skexchange.intern.krick.net>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
References:	<9E95C5444EC75B46A6969567E9E8BC520140958B@skexchange.intern.krick.net>
Sender:	nn-bounces@qorbit.net

Guys,

I manage to get it work by using certificate but the Internet connection must be direct. It will fail if there is a router or NAT in front of the Windows Client. Useless technology...

regards,

Jeffy Koh

On 3/6/07, Kai Krebber <Kai.Krebber@krick.net> wrote:

Hi, John!

Found a pdf describing exactly, what I was looking for. Only it doesn't work. If I set up the windows-client as descript, I doesn't even try to start ike negotiations. Instead I directly get an error 768 (faulty encryption) as soon as I hit the 'connect' button.
I assume Windows doesn'r know, what certificates to use for the connection and I don't find the part of the configuration where I can link the appropriate certificates to the vpn connection.

To make matters worse, I can't even ping the Netscreen (WAN) anymore. It looks like windows is trying to negotiate ipsec already although I'm not trying to use the vpn.

I know that this is gliding a bit off topic since the problems seem to lie on the windows side and not the netscreen. I still hope, somebody got those two up and running with l2tp over ipsec with certs and can help me out here.
Cheers,
Kai

-----Ursprüngliche Nachricht-----
Von: John Cameron [mailto:John.Cameron@brennanit.com.au]
Gesendet: Dienstag, 6. März 2007 13:11
An: Kai Krebber; Badu Jack
Cc: nn@qorbit.net
Betreff: RE: [nn] L2TP Dialup

I have seen that error before when I was setting up a remote vpn via the NS remote client.

The problem was the policy was not higher up in the order.

I remember reading how to set something up like that with Windows and certs at http://www.netscreenforum.com/ - Do a search. Then again it may have been somewhere else.

John

-----Original Message-----
From: nn-bounces@qorbit.net [mailto:nn-bounces@qorbit.net] On Behalf Of Kai Krebber
Sent: Tuesday, 6 March 2007 10:35 PM
To: Badu Jack
Cc: nn@qorbit.net
Subject: Re: [nn] L2TP Dialup

Hi!

Seems impossible to me. According to Netscreen Article KB6865,
One has to use certificates with native WinXP, but I can't get it
Working. Also there are rumours of successful connections, I didn't
find any step by step guide for both sides (NS and XP) using
dynamic client IP and certs.
My Netscreen always complains:
Rejected an IKE packet ... because the peer sent a packet with a
message ID before Phase 1 authentication was done.
My certs work fine with the NS remote-client (i.e. the certs are not
the problem)

So I assume Juniper boycotts the native XP-Capabilities to sell their Client
(please prove me wrong, anybody).

Cheers,
Kai

-----Ursprüngliche Nachricht-----
The second question is, is it possible to use winxp for remote dialup to
connect with the
NS-5GT using IPSEC and L2TP dialup protocols.

Cheers

_________________________________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [nn] L2TP Dialup, Kai Krebber Re: [nn] L2TP Dialup, Kai Krebber Re: [nn] L2TP Dialup, Kai Krebber Re: [nn] L2TP Dialup, Jeffy Koh <= Re: [nn] L2TP Dialup, Martin Schulman Re: [nn] L2TP Dialup, Jeffy Koh Re: [nn] L2TP Dialup, Kai Krebber

Previous by Date:	Re: [nn] L2TP Dialup, Kai Krebber
Next by Date:	[nn] Forwarding Multicast Packets, Joe Michl
Previous by Thread:	Re: [nn] L2TP Dialup, Kai Krebber
Next by Thread:	Re: [nn] L2TP Dialup, Martin Schulman
Indexes:	[Date] [Thread] [Top] [All Lists]