KB Home KB Home Back to all Knowledge Base Browse Knowledge Base Categories Printer Friendly Version Printer Friendly

Configuring your Juniper firewall NS-5XP/5XT/5GT Site A for a Route Based LAN to LAN VPN When Both Sides Have Static IPs Using Pre-shared Keys
Knowledge Base ID: KB4178
Version: 6.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories: . Firewall/IPSec_VPN
. ScreenOS

Synopsis:
Configuring your Juniper firewall NS-5XP/5XT/5GT Site A for a Route Based LAN to LAN VPN When Both Sides Have Static IPs Using Pre-shared Keys

Solution:

To configure your Juniper firewall NS-5XP/5XT/5GT Site A for a Route Based LAN to LAN VPN when both sides have static IPs using Pre-shared Keys, perform the following steps:

Step one: Open the WebUI. For more information on accessing the WebUI, go to KB4060 -- Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.

Step two: From the Juniper firewall menu, click Network, and then click Interfaces.

Image of step two

Step three: Click New.

Image of step three

Step four: From the Tunnel Interface Name text box, enter a tunnel name.

Note: For this example, we have entered 1.

Image of step four and five

Step five: From the Zone drop-down menu, click to choose a Zone.

Note: For this example, we have selected Untrust (trust-vr).

Step six: Click to select Unnumbered. From the Interface drop-down menu, click to choose an Interface.

Note: For this example, we have selected Trust(trust-vr).

Image of step six and seven

Step seven: Click OK.

Step eight: From the Juniper firewall menu, click VPNs, select AutoKey Advanced, and then click Gateway.

Image of step eight

Step nine: Click New.

Image of step nine

Step ten: From the Gateway Name text box, enter a Gateway Name.

Note: For this example, we have entered Site B GW.

Image of step ten and eleven

Step eleven: From Security Level, click to select Custom.

Step twelve: From Remote Gateway Type, click to select Static IP Address, and enter an IP Address/Hostname.

Note: For this example, we have entered 2.2.2.1.

Image of step twelve

Step thirteen: From the Preshared Key text box, enter a Preshared Key.

Warning: The pre-shared keys on Juniper firewall device A and Juniper firewall device B must be identical.

Image of step thirteen and fourteen

Step fourteen: From the Outgoing Interface drop-down menu, click to choose an Outgoing Interface. Click Advanced.

Note: For this example, we have selected Untrust.

Step fifteen: From the Phase 1 Proposal drop-down menu, click to choose a Phase 1 Proposal.

Note: For this example, we have selected pre-g2-3des-sha.

Image of step fifteen and sixteen

Step sixteen: Click to select Mode (Initiator). Click Return.

Step seventeen: Click OK.

Image of step seventeen

Step eighteen: From the Juniper firewall menu, click VPNs, and then click AutoKey IKE.

Image of step eighteen

Step nineteen: Click New.

Image of step nineteen

Step twenty: From the VPN Name text box, enter a VPN Name. From Security Level, click to select Custom.

Note: For this example, we have entered Site B VPN.

Image of step twenty and twenty-one

Step twenty-one: From Remote Gateway, click to select Predefined. From the Remote Gateway drop-down menu, click to select Site B GW.

Step twenty-two: Click Advanced.

Image of step twenty-two

Step twenty-three: From the Phase 2 Proposal drop-down menu, click to choose a Phase 2 Proposal.

Note: For this example, we have selected g2-esp-3des-sha.

Image of step twenty-three and twenty-four

Step twenty-four: From Bind to, click to select Tunnel Interface. From the Tunnel Interface drop-down menu, click to select tunnel.1.

Step twenty-five: Click to select Proxy-lD. In the Local IP/Netmask text box, enter a Local IP/Netmask, and then in the Remote IP/Netmask text box, enter a Remote IP/Netmask.

Note: For this example, we have entered 10.1.1.0/24 for our Local IP/Netmask and 172.16.10.0/24 for the Remote IP/Netmask.

Image of step twenty-five and twenty-six

Step twenty-six: From the Service drop-down menu, click to select ANY. Click Return.

Step twenty-seven: Click OK.

Image of step twenty-seven

Step twenty-eight: From the Juniper firewall menu, click Policies.

Image of step twenty-eight

Step twenty-nine: In the From drop-down menu, click to select Trust. From the To drop-down menu, click to select Untrust.

Image of step twenty-nine and thirty

Step thirty: Click New.

Step thirty-one: From Source Address, click to select New Address, and enter a New Address.

Note: For this example, we have entered 10.1.1.0/24.

Image of step thirty-one and thirty-two

Step thirty-two: From Destination Address, click to select New Address, and enter a New Address.

Note: For this example, we have entered 172.16.10.0/24.

Step thirty-three: In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.

Image of step thirty-three

Step thirty-four: Click to select Position at Top.

Image of step thirty-four

Step thirty-five: Click OK.

Image of step thirty-five

Step thirty-six: From the Juniper firewall menu, click Policies.

Image of step thirty-six

Step thirty-seven: In the From drop-down menu, click to select Untrust. In the To drop-down menu, click to select Trust.

Image of step thirty-seven and thirty-eight

Step thirty-eight: Click New.

Step thirty-nine: From Source Address, click to select New Address, and then enter a New Address.

Note:For this example, we have entered 172.16.10.0/24.

Image of step thirty-nine and forty

Step forty: From Destination Address, click to select New Address, and then enter a New Address.

Note: For this example, we have entered 10.1.1.0/24.

Step forty-one:In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.

Image of step forty-one

Step forty-two:Click to select Position at Top.

Image of step forty-two

Step forty-three:Click OK.

Image of step forty-three

Step forty-four:From the Juniper firewall menu, click Network, select Routing, and then, for 5.2 and below, click Routing Table;  for 5.3 and above, click Destination.

Image of step forty-three

Step forty-five:Click New.

Image of step forty-four

Step forty-six:From Virtual Router Name, in the Network Address/Netmask text boxes, enter a Network Address/Netmask.

Note: For this example, we have entered 172.16.10.0/255.255.255.0.

Image of step forty-five and forty-six

Step forty-seven:Click to select Gateway. From the Interface drop-down menu, click to select tunnel.1.

Step forty-eight:Click OK.

Image of step forty-eight

Purpose:
Troubleshooting

Login assistance

ASK THE KB
Question or KB ID:



RELATED TOPICS