I love the capabilities of Juniper devices, but configuration on them is second only to Cisco equipment as far as difficulty goes. I had a lot of luck working with their support team – the agent I talked to was more than happy to not only walk me through the configuration of the SSG to support Netscreen, but also to give me a hand with testing it and making sure everything functioned the way I needed it to. ---- Jack Kramer Computer Systems Specialist University Relations, Michigan State University w: 517-884-1231 / c: 248-635-4955 > From: Stefan Ozminski <[log in to unmask]> > Reply-To: Stefan Ozminski <[log in to unmask]> > Date: Wed, 14 Oct 2009 19:57:48 -0400 > To: "[log in to unmask]" <[log in to unmask]> > Subject: [MSUNAG] Juniper SSG 140 configuration with LDAP authentication > (Active Directory) > > We have a Juniper Secure Services Gateway 140 (a firewall), which is a > model that does not support the web based authentication and vpn > connection used at vpn.msu.edu. The software that Juniper offers is > Netscreen-Remote for the client (supported on Windows, and not the Mac). > > Admittedly, the Juniper SSG 140 has good security protocols for the vpn, > and there are some nice pictures in the documentation. But the > documentation is voluminous and the numerous restrictions for what > options can be combined are not documented well. But the client > software is not well integrated with the secure gateway server. The > options for the different phases of negotiating the encryption for the > vpn tunnel are in very different places, and the names are not the same > between the server interface and the client configuration interface. > > I can create a single user vpn that supports L2TP with IPsec and a > dynamic address (i.e. DHCP) on the client. > > I can create a multiple user vpn that only works with a fixed address on > the client. > > If I try to mix the two, the SSG 140 won't let me get past the Phase 1 > negotiations. I looked through the documentation several times, and > searched the Juniper website, and the multiple user vpn with dynamic > address combination is not offered as an option. > > Has anyone found a configuration that supports a dynamic address on the > client, a preshared key, a single IKE user account that permits multiple > logins, and extended authentication through LDAP to a Windows Active > Directory domain? > > If you have done it with certificates, I would like to hear about that too. > > If I get any responses, I can summarize to the list. > > -Stefan > > KBS Computer Services Helpdesk: > [log in to unmask] > 269-671-2100 (from campus 199-2100) > > Stefan Ozminski > Computer Services > W.K. Kellogg Biological Station > Michigan State University > 3700 E. Gull Lake Dr. > Hickory Corners, MI 49060 > Phone: 269-671-4427 (from campus 199-4427) > [log in to unmask]