[Vpn-help] Juniper SSG Commercial IPsec Gateway

Matthew Grooms mgrooms at shrew.net
Tue Dec 11 05:07:31 CST 2007 

All,

As promised, I wanted to get some information out on the list regarding 
client interoperability with the Juniper product line. I'm not that 
familiar with the ScreenOS command line interface so the directions 
included will be for the web configuration interface. Although these 
instructions are based on my experience with the SSG product line, I 
hope they will translate well to Netscreen products as well.

First, you need to create a user that is used to define the phase1 id 
parameters. Navigate to the following screen using the tree pane on the 
left hand side of the browser interface ...

Objects
  \Users
   \Local

After clicking the new button, you will only need to define the 
following options ...

User Name - vpnclient_ph1id [ or as you see fit ]
Status - Enabled
IKE User - Checked
\Simple Identity - Selected
  IKE ID Type - AUTO
  IKE Identity - client.domain.com [ or as you see fit ]

Now that you have a phase1 id user defined, you will need to create a 
Local Group that can be assigned to an AutoKey Advanced Gateway. 
Navigate to the following screen ...

Objects
\Users
  \Local Groups

After clicking the new button, you will need to define the group name 
and add the phase1 id user as a member. We will call this group the 
vpnclient_group.

The next step will be to create an AutoKey Advanced Gateway to define 
the phase1 parameters. Navigate to the following screen ...

VPNs
\AutoKey Advanced
  \Gateway

After clicking the new button, you will need to define the following 
options ...

Gateway Name - vpnclient_gateway [ or as you see fit ]
Security Level - Custom [ defined in advanced ]
Remote Gateway Type - Dialup User Group
\Group - vpnclient_group [ phase1 id user as a member ]
Preshared Key - [ your phase1 preshared key ]
Local ID - vpngw.domain.com [ or as you see fit ]
--- advanced ---
Security Level - Custom
\Phase 1 Proposal #1 - pre-g2-3des-sha
  Phase 1 Proposal #2 - pre-g2-3des-md5
  Phase 1 Proposal #3 - pre-g2-aes128-sha
  Phase 1 Proposal #4 - pre-g2-aes128-md5
Enable NAT-Traversal - Checked
Peer Status Detection - DPD w/ defaults
--- Xauth ---
Xauth Server - Selected
\Allowed Authentication Type - Generic
  Local Authentication - Selected [ for simplicity sake ]
  \Allow Any - Selected

Now that you have an AutoKey Advanced Gateway defined, you need to 
create an AutoKey IKE vpn definition that references the Advanced 
AutoKey gateway. Navigate to the following screen ...

VPNs
\AutoKey IKE

After clicking the new button, you will only need to define the 
following options ...

VPN Name - vpnclient_tunnel [ or as you see fit ]
Security Level - Custom [ defined in advanced ]
Remote Gateway Predefined - vpnclient_gateway [ AutoKey Advanced GW ]
--- advanced ---
Security Level - Custom
\Phase 2 Proposal #1 - nopfs-esp-3des-sha
  Phase 2 Proposal #2 - nopfs-esp-3des-md5
  Phase 2 Proposal #3 - nopfs-esp-aes128-sha
  Phase 2 Proposal #4 - nopfs-esp-aes128-md5
Replay Protection - Checked

Now you have your phase1 parameters defined in your AutoKey Advanced 
Gateway and the phase2 parameters defined in AutoKey IKE vpn. The next 
step is to define the client configuration parameters that will be sent 
during the configuration exchange. First, we need an ip address pool. 
Navigate to the following screen ...

Objects
\IP Pools

After clicking the new button, you will need to define the IP Pool Name 
and the Start and end IP address. For example, you could define a pool 
named vpnclient with a start IP address of 10.2.21.1 and and end address 
of 10.2.21.254.

Next we need to go back and set the global AutoKey Advanced XAuth 
parameters. Navigate to the following screen ...

VPNs
\AutoKey Advanced
  \XAuth Settings

Now we can define the client configuration parameters. The following 
settings were used to test the Shrew Soft VPN Client ...

Reserve Private IP for XAuth User - 480 minutes
Default Authentication Server - Local
Query Client Settings on Default Server - Unchecked
CHAP - Unchecked
IP Pool Name - vpnclient [ or your ip pool name ]
DNS Primary Server IP - [ private DNS server address ]
DNS Secondary Server IP - [ private DNS secondary address ]
WINS Primary Server IP - [ private WINS server address ]
WINS Secondary Server IP - [ private WINS secondary address ]

The last step for the tunnel configuration is to define policies that 
allow protected traffic to pass into your private network from the 
client. For example, you could define the following policy to allow vpn 
client users access to a private network 10.3.0.0/16 that exists behind 
your Juniper gateway. Navigate to the following screen ...

Policies

To create a policy that allows users connecting the internet to securely 
access your private network, first select From = Untrust and To = Trust 
from the the options at the top of the page. After clicking the new 
button, you will need to define the following options ...

Name - vpnclient_inbound
Source Address
\Address Book Entry - Dial-UP VPN [ an object defined as 0.0.0.0/0 ]
Destination Address
\New Address - 10.3.0.0/16
Service - ANY [ or as you see fit ]
Application - None [ really means any ]
Action - Tunnel
Tunnel - vpnclient_tunnel [ AutoKey IKE vpn name ]

So now you have a remote access gateway configured. Your last step is to 
define the local user accounts that will be used during Xauth. Navigate 
to the following screen ...

Objects
\Users
  \Local

After clicking the new button, you will only need to define the 
following options ...

User Name - jblow [ the xauth user name ]
Status - Enable
XAuth User - Checked
\User Password - **** [ the xauth user password ]
  Confirm Password - **** [ the same user password ]

Alright, so now your pretty much done. To create a connection using the 
Shrew Soft Client, you just add a new site configuration that uses the 
config push method. I have attached an exported configuration that could 
be used for our theoretical setup shown above. If anyone else with a 
Juniper gateway thinks I left something out of this email, please let us 
know by replying to this email :)

Hope this helps,

-Matthew
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: your.vpngw.com.vpn
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071211/241024b2/attachment-0001.ksh>

More information about the vpn-help mailing list