How to configure a Juniper Firewall to allow VPN traffic through. Customer has multiple VPN clients on the Trust side and needs to access a VPN gateway on the Untrust side. The VPN gateway does not understand IPSEC NAT and expects the IKE packets to be sent without port translation.
Problem or Goal:
Customer has multiple VPN clients on the Trust side and needs to access a VPN gateway on the Untrust side. The VPN gateway does not understand IPSEC NAT and expects the IKE packets to be sent without port translation.
A user on the inside (Trust) side of a Juniper Firewall has an IPSec VPN Client and needs to establish a VPN to a peer on the public (Untrust) side, but the tunnel is not establishing.
When IPSec traffic passes thru the Juniper Firewall with NAT enabled on the Juniper Firewall, the IKE packet with UDP source port 500 would be translated. However, this can cause a problem if the peer is an older device; some older devices that support draft-0 expect the source and destination ports to both be UDP 500. If the source port is translated, this causes the peer to not recognize the packet. So, there needs to be a way to allow this IPSec traffic through without translating the source port.
ScreenOS 5.2 and greater ------------------------------------
Starting with ScreenOS version 5.2,ScreenOS has an ALG to allow IPSEC pass thru packets without port translation and without using a MIP (which was the work-around with ScreenOS 5.1 and below).
To enable the IPSEC pass thru without a MIP, use the predefined service "IKE-NAT" in the policy. This will trigger the ALG for IPSEC pass thru and all the IKE packets will be translated to the Untrust IP without the source IKE port being translated.
Here is an example: Suppose you have a client on the Trust side which needs to connect to the VPN gateway on the Untrust side. Enable a Trust to Untrust policy with IKE-NAT as the service. Make sure that you position this policy at the top :
set policy from trust to untrust any any IKE-NAT permit
Below that, you can have another permit policy to allow the ESP traffic by creating a custom service for ESP. For details on how to create a custom service via the WEBUI, see the following KB article : KB4220
Once the SA is established, the ESP session will be triggered with the ALG function, and thereafter, all of the corresponding ESP packets will be passed by a created session which eventually uses the ALG session as the parent session to pass the traffic.
Note that this only works if the source and destination ports are UDP 500 for the IKE packets. If the source or destination is not UDP 500 then the IKE-NAT service will not be matched and the only work around is to use a MIP as stated below.
ScreenOS 5.1 and below ------------------------------------
For ScreenOS versions below 5.2, this is accomplished through the creation of a MIP on the Untrust interface. See below for KB4715 which outlines how this is done in ScreenOS versions prior to 5.2. Also shown below is KB4656 which shows the requirements for accomplishing this using LT2P over IPSec (also pre-ScreenOS 5.2) :