We have a Juniper Secure Services Gateway 140 (a firewall), which is a
model that does not support the web based authentication and vpn
connection used at vpn.msu.edu. The software that Juniper offers is
Netscreen-Remote for the client (supported on Windows, and not the Mac).
Admittedly, the Juniper SSG 140 has good security protocols for the vpn,
and there are some nice pictures in the documentation. But the
documentation is voluminous and the numerous restrictions for what
options can be combined are not documented well. But the client
software is not well integrated with the secure gateway server. The
options for the different phases of negotiating the encryption for the
vpn tunnel are in very different places, and the names are not the same
between the server interface and the client configuration interface.
I can create a single user vpn that supports L2TP with IPsec and a
dynamic address (i.e. DHCP) on the client.
I can create a multiple user vpn that only works with a fixed address on
the client.
If I try to mix the two, the SSG 140 won't let me get past the Phase 1
negotiations. I looked through the documentation several times, and
searched the Juniper website, and the multiple user vpn with dynamic
address combination is not offered as an option.
Has anyone found a configuration that supports a dynamic address on the
client, a preshared key, a single IKE user account that permits multiple
logins, and extended authentication through LDAP to a Windows Active
Directory domain?
If you have done it with certificates, I would like to hear about that too.
If I get any responses, I can summarize to the list.
-Stefan
KBS Computer Services Helpdesk:
[log in to unmask]
269-671-2100 (from campus 199-2100)
Stefan Ozminski
Computer Services
W.K. Kellogg Biological Station
Michigan State University
3700 E. Gull Lake Dr.
Hickory Corners, MI 49060
Phone: 269-671-4427 (from campus 199-4427)
[log in to unmask]
|