Wednesday, May 8, 2013

Site toSite VPN Configuration using Juniper SSG140


[ScreenOS] How do I create a Policy Based LAN to LAN VPN using Preshared Keys (ScreenOS 6.0 and later)


SUMMARY:
Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys in ScreenOS 6.x
PROBLEM OR GOAL:
Environment:
  • Preshared secrets
  • Policy Based VPN
  • Static IP Addresses on both gateways of VPN
CAUSE:

SOLUTION:
This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel.  
The preshared secret used is netscreen.  
The matrix below will show the proposals we will use for this example:
network drawing
SiteAB
Untrust IP of Firewall1.1.1.1 (eth0/0)2.2.2.1 (eth0/0)
Trust Network10.1.1.0/24172.16.10.0/24
Phase 1 Proposalpre-g2-3des-shapre-g2-3des-sha
Phase 2 Proposalg2-esp-3des-shag2-esp-3des-sha

Intructions via the WebUI and CLI are provided below.

WebUI - Site A:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site B GW
    2. Remote Gateway: Click Static, and enter IP address 2.2.2.1
    3. Click Advanced
    4. Preshared Key: netscreen
    5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
    6. Security Level, User-defined:  Select Custom, and select Phase 1 Proposal:  pre-g2-3des-sha
    7. Mode (Initiator): Main
    8. Click Return
    9. Click OK
  3. Click VPNs > Autokey IKE
  4. Click New
    1. VPN Name: Site B VPN
    2. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    3. Click Advanced
    4. Security Level, User Defined:  Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
    5. Click VPN Monitor  (recommended)
    6. Click Optimized  (recommended)
    7. Click Rekey  (recommended)
    8. Click Return
    9. Click OK (Important)
  5. Click Policy > Policies
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site B VPN
    6. Check Modify matching bidirectional VPN policy
    7. Position at Top: Enabled
    8. Click Ok

WebUI - Site B:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site A GW
    2. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    3. Click Advanced
    4. Preshared Key: netscreen
    5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
    6. Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
    7. Mode (Initiator): Main
    8. Click Return
    9. Click OK
  3. Click VPNs > Autokey IKE
  4. Click New
    1. VPN Name: Site A VPN
    2. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    3. Click Advanced
    4. Security Level, User Defined:  Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
    5. Click VPN Monitor  (recommended)
    6. Click Optimized  (recommended)
    7. Click Rekey  (recommended)
    8. Click Return
    9. Click OK (Important)
  5. Click Policy > Policies
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site A VPN
    6. Check Modify matching bidirectional VPN policy
    7. Position at Top: Enabled
    8. Click Ok

CLI - Site A:

  1. Set interfaces:
    set interface e1/1 zone trust
    set interface e1/1 ip 10.1.1.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 1.1.1.1/24

  2. Create address book entries:
  3. set address Trust "10.1.1.0/24" 10.1.1.0/24
    set address Untrust "172.16.10.0/24" 172.16.10.0/24


  4. Create a preshared key VPN:
  5. set ike gateway "site B GW" address 2.2.2.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site B VPN" gateway "site B GW" proposal "g2-esp-3des-sha" 
    set vpn "site B VPN" monitor optimized rekey


  6. Create policies:
  7. set policy id 1 top from trust to untrust "10.1.1.0/24" "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 2 
    set policy id 2 top from untrust to trust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 1
    save

CLI - Site B:

  1. Set interfaces:
    set interface e1/1 zone trust
    set interface e1/1 ip 172.16.10.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 2.2.2.2/24

  2. Create address book entries:
  3. set address trust "172.16.10.0/24" 172.16.10.0/24
    set address untrust  "10.1.1.0/24" 10.1.1.0/24


  4. Create a preshared key VPN:
  5. set ike gateway "site A GW" address 1.1.1.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site A VPN" gateway "site A GW" proposal "g2-esp-3des-sha" 
    set vpn "site A VPN" monitor optimized rekey


  6. Create policies:
  7. set policy id 1 top from trust to untrust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site A VPN" pair-policy 2 
    set policy id 2 top from untrust to trust "10.1.1.0/24" "172.16.10.0/24" any tunnel vpn "site A VPN" pair-policy 1
    save
Note:Configuration Examples in Technical Documentation:

ScreenOS Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Policy-Based Site-to-Site VPN, AutoKey IKE” Example
“Policy-Based Site-to-Site VPN, Dynamic Peer Example
“Policy-Based Site-to-Site VPN, Manual Key” Example
“Transparent Mode VPN” Example

2 comments:

  1. Hence, it can be said that most of the social networking sites take the help of the VPN providers to attain more security and the Twitter account can be unblocked with the help of this network. Best free vpn

    ReplyDelete
  2. There are too many environments and moments where you need a VPN, but to make some understanding of VPN usage, I will explain the most common reasons where many people are using it daily.

    Reason Where You Need a VPN



    ReplyDelete