[Vpn-help] Juniper SSG Commercial IPsec Gateway
Matthew Grooms
mgrooms at shrew.net
Tue Dec 11 05:07:31 CST 2007
All,
As promised, I wanted to get some information out on the list regarding
client interoperability with the Juniper product line. I'm not that
familiar with the ScreenOS command line interface so the directions
included will be for the web configuration interface. Although these
instructions are based on my experience with the SSG product line, I
hope they will translate well to Netscreen products as well.
First, you need to create a user that is used to define the phase1 id
parameters. Navigate to the following screen using the tree pane on the
left hand side of the browser interface ...
Objects
\Users
\Local
After clicking the new button, you will only need to define the
following options ...
User Name - vpnclient_ph1id [ or as you see fit ]
Status - Enabled
IKE User - Checked
\Simple Identity - Selected
IKE ID Type - AUTO
IKE Identity - client.domain.com [ or as you see fit ]
Now that you have a phase1 id user defined, you will need to create a
Local Group that can be assigned to an AutoKey Advanced Gateway.
Navigate to the following screen ...
Objects
\Users
\Local Groups
After clicking the new button, you will need to define the group name
and add the phase1 id user as a member. We will call this group the
vpnclient_group.
The next step will be to create an AutoKey Advanced Gateway to define
the phase1 parameters. Navigate to the following screen ...
VPNs
\AutoKey Advanced
\Gateway
After clicking the new button, you will need to define the following
options ...
Gateway Name - vpnclient_gateway [ or as you see fit ]
Security Level - Custom [ defined in advanced ]
Remote Gateway Type - Dialup User Group
\Group - vpnclient_group [ phase1 id user as a member ]
Preshared Key - [ your phase1 preshared key ]
Local ID - vpngw.domain.com [ or as you see fit ]
--- advanced ---
Security Level - Custom
\Phase 1 Proposal #1 - pre-g2-3des-sha
Phase 1 Proposal #2 - pre-g2-3des-md5
Phase 1 Proposal #3 - pre-g2-aes128-sha
Phase 1 Proposal #4 - pre-g2-aes128-md5
Enable NAT-Traversal - Checked
Peer Status Detection - DPD w/ defaults
--- Xauth ---
Xauth Server - Selected
\Allowed Authentication Type - Generic
Local Authentication - Selected [ for simplicity sake ]
\Allow Any - Selected
Now that you have an AutoKey Advanced Gateway defined, you need to
create an AutoKey IKE vpn definition that references the Advanced
AutoKey gateway. Navigate to the following screen ...
VPNs
\AutoKey IKE
After clicking the new button, you will only need to define the
following options ...
VPN Name - vpnclient_tunnel [ or as you see fit ]
Security Level - Custom [ defined in advanced ]
Remote Gateway Predefined - vpnclient_gateway [ AutoKey Advanced GW ]
--- advanced ---
Security Level - Custom
\Phase 2 Proposal #1 - nopfs-esp-3des-sha
Phase 2 Proposal #2 - nopfs-esp-3des-md5
Phase 2 Proposal #3 - nopfs-esp-aes128-sha
Phase 2 Proposal #4 - nopfs-esp-aes128-md5
Replay Protection - Checked
Now you have your phase1 parameters defined in your AutoKey Advanced
Gateway and the phase2 parameters defined in AutoKey IKE vpn. The next
step is to define the client configuration parameters that will be sent
during the configuration exchange. First, we need an ip address pool.
Navigate to the following screen ...
Objects
\IP Pools
After clicking the new button, you will need to define the IP Pool Name
and the Start and end IP address. For example, you could define a pool
named vpnclient with a start IP address of 10.2.21.1 and and end address
of 10.2.21.254.
Next we need to go back and set the global AutoKey Advanced XAuth
parameters. Navigate to the following screen ...
VPNs
\AutoKey Advanced
\XAuth Settings
Now we can define the client configuration parameters. The following
settings were used to test the Shrew Soft VPN Client ...
Reserve Private IP for XAuth User - 480 minutes
Default Authentication Server - Local
Query Client Settings on Default Server - Unchecked
CHAP - Unchecked
IP Pool Name - vpnclient [ or your ip pool name ]
DNS Primary Server IP - [ private DNS server address ]
DNS Secondary Server IP - [ private DNS secondary address ]
WINS Primary Server IP - [ private WINS server address ]
WINS Secondary Server IP - [ private WINS secondary address ]
The last step for the tunnel configuration is to define policies that
allow protected traffic to pass into your private network from the
client. For example, you could define the following policy to allow vpn
client users access to a private network 10.3.0.0/16 that exists behind
your Juniper gateway. Navigate to the following screen ...
Policies
To create a policy that allows users connecting the internet to securely
access your private network, first select From = Untrust and To = Trust
from the the options at the top of the page. After clicking the new
button, you will need to define the following options ...
Name - vpnclient_inbound
Source Address
\Address Book Entry - Dial-UP VPN [ an object defined as 0.0.0.0/0 ]
Destination Address
\New Address - 10.3.0.0/16
Service - ANY [ or as you see fit ]
Application - None [ really means any ]
Action - Tunnel
Tunnel - vpnclient_tunnel [ AutoKey IKE vpn name ]
So now you have a remote access gateway configured. Your last step is to
define the local user accounts that will be used during Xauth. Navigate
to the following screen ...
Objects
\Users
\Local
After clicking the new button, you will only need to define the
following options ...
User Name - jblow [ the xauth user name ]
Status - Enable
XAuth User - Checked
\User Password - **** [ the xauth user password ]
Confirm Password - **** [ the same user password ]
Alright, so now your pretty much done. To create a connection using the
Shrew Soft Client, you just add a new site configuration that uses the
config push method. I have attached an exported configuration that could
be used for our theoretical setup shown above. If anyone else with a
Juniper gateway thinks I left something out of this email, please let us
know by replying to this email :)
Hope this helps,
-Matthew
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: your.vpngw.com.vpn
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071211/241024b2/attachment-0001.ksh>
More information about the vpn-help
mailing list