KB Home KB Home Back to all Knowledge Base Browse Knowledge Base Categories Printer Friendly Version Printer Friendly

Configuring an L2TP Connection on the Remote Side
Knowledge Base ID: KB4095
Version: 6.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories: . Firewall/IPSec_VPN
. L2TP
. NS_Remote_Security
. NS_Remote_VPN_Client
. ScreenOS

Synopsis:
Configuring an L2TP Connection on the Remote Side

Solution:

Note: This article applies to ScreenOS 5.0 and above and NetScreen-Remote 7.x and higher.


To configure an L2TP connection on the NetScreen-Remote side, perform the following steps:
 Step one: From the Start menu, click Programs, click NetScreen-Remote, and then click to select Security Policy Editor.

Note: With newer versions of NetScreen-Remote, the start menu may be Juniper Networks > NetScreen-Remote.

Image of step one

Step two: From the Security Policy Editor, click the Add a new connection icon.

Image of step two

Step three: Enter a name for your new connection.

Note: For this example, we used the default name New Connection.

Image of step three

Step four: From Remote Party Identity and Addressing, in the ID Type drop-down menu, click to select IP Address.

Image of step four

Step five: Enter the Untrust Interface IP Address of the Juniper Firewall you are trying to reach.

Note: For this example, we used 1.1.1.1 as the Untrust interface IP address.

Image of step five

Step six: From the Protocol drop-down menu, click to select UDP. From the Port drop-down menu, click to select L2TP.

Image of step six

Step seven: Click the + to expand New Connection.

Image of step seven

Step eight: Click My Identity, and then from the Select Certificate drop-down menu, click to select None.

Image of step eight

Step nine: Click Pre-Shared Key.

Image of step nine

Step ten: Click Enter Key, and then enter the Pre-Shared Key.

Note: The Pre-Shared Key will need to match the one configured on the Firewall device for this connection.

Image of step ten and eleven

Step eleven: Click OK.

Step twelve: Click Security Policy, and then click to select Aggressive Mode.

Image of step twelve

Step thirteen: Click My Identity.

Image of step thirteen

Step fourteen: From the ID Type drop-down menu, click to select E-mail Address.

Image of step fourteen and fifteen

Step fifteen: Enter the email address corresponding to the ID.

Note: For this example, we have used jdoe@netscreen.com. This is the IKE user's simple identity and not their username. The E-mail Address can be a username or an actual email address. However, this needs to match the settings on the Juniper Firewall.

Step sixteen: Click the + to expand Security Policy.

Image of step sixteen

Step seventeen: Click the + to expand Authentication (Phase 1).

Image of step seventeen and eighteen

Step eighteen: Click to select Proposal 1.

Step nineteen: From the Encrypt Alg drop-down menu, click to select encryption type. From the Hash Alg drop-down menu, click to select authentication type.

Note: For this example, we have used DES for Encrypt Alg and SHA-1 for Hash Alg.

Image of step nineteen and twenty

Step twenty: From the Key Group drop-down menu, click to select Diffie-Hellman Group 2.

Step twenty-one: Click the + to expand Key Exchange (Phase 2).

Image of step twenty-one and twenty-two

Step twenty-two: Click Proposal 1.

Step twenty-three: From the Encrypt Alg drop-down menu, click to select encryption type. From the Hash Alg drop-down menu, click to select authentication type.

Note: For this example, we have used DES for Encrypt Alg and SHA-1 for Hash Alg.

Image of step twenty-three and twenty-four

Step twenty-four: In the Encapsulation drop-down menu, click to select Transport.

Step twenty-five: From the Security Policy Editor dialog box, click File, and then click Save.

Image of step twenty-five

Warning: You will now need to make a connection. For more information on making a connection, go to Making an L2TP Connection from Windows 2000/XP.

Purpose:
Troubleshooting

ASK THE KB
Question or KB ID:



RELATED TOPICS