Knowledge Center Search


 

NetScreen Remote Dial-Up VPN to multiple subnets (zones)

  [KB12959] Show KB Properties

  [KB12959] Hide KB Properties

Categories:
Knowledge Base ID: KB12959
Last Updated: 11 Aug 2010
Version: 2.0

Summary:
How to connect to multiple zones/subnets behind the firewall using Dial-Up VPN

Problem or Goal:
Using policy-based VPN configuration, how do you configure a Dial-Up VPN user to access resources behind both a Trust and DMZ zones.
PC(Dial-UP VPN)===========(Untrust)--FIREWALL-----(Trust)
                                         |
                                         ---------(DMZ)
PC:  50.1.1.1

Firewall:
Ethernet1 (Trust zone) 192.168.1.1/24
Ethernet2 (DMZ zone) 192.168.2.1/24
Ethernet3 (Untrust zone) 20.1.1.1/24

Xauth pool is 10.1.1.1 to 10.1.1.254
Xauth username: localuser
Xauth password: setup123

Solution:

Steps:

The net result is that there will be a single Phase 1 IKE VPN, and two Phase 2 SAs (one for each proxyID -- 192.168.1.0/24 and 192.168.2.0/24)


Relevant Firewall Configuration:
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface ethernet1 ip 192.168.1.1/24
set interface ethernet2 ip 192.168.2.1/24
set interface ethernet3 ip 20.1.1.1/24
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "DMZ" "192.168.2.0/24" 192.168.2.0 255.255.255.0
set ippool "Xauth" 10.1.1.1 10.1.1.254
set user "localuser" uid 1
set user "localuser" ike-id u-fqdn "test@juniper.net" share-limit 5
set user "localuser" type ike xauth
set user "localuser" remote ippool "Xauth"
set user "localuser" password "setup123"
unset user "localuser" type auth
set user "localuser" "enable"
set user-group "LocalGroup" id 2
set user-group "LocalGroup" user "localuser"
set ike gateway "gateway" dialup "LocalGroup" Aggr outgoing-interface "ethernet3" preshare "password" sec-level standard
unset ike gateway "gateway" nat-traversal udp-checksum
set ike gateway "gateway" nat-traversal keepalive-frequency 0
set ike gateway "gateway" xauth server "Local"
unset ike gateway "gateway" xauth do-edipi-auth
set xauth default ippool "Xauth"
set vpn "vpn" gateway "gateway" no-replay tunnel idletime 0 sec-level standard
set url protocol websense
exit
set policy id 4 from "DMZ" to "Untrust" "192.168.2.0/24" "Dial-Up VPN" "ANY" tunnel vpn "vpn" id 5 pair-policy 3
set policy id 3 from "Untrust" to "DMZ" "Dial-Up VPN" "192.168.2.0/24" "ANY" tunnel vpn "vpn" id 5 pair-policy 4
set policy id 2 from "Trust" to "Untrust" "192.168.1.0/24" "Dial-Up VPN" "ANY" tunnel vpn "vpn" id 3 pair-policy 1
set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN" "192.168.1.0/24" "ANY" tunnel vpn "vpn" id 3 pair-policy 2
set vrouter "trust-vr"
set route 0.0.0.0/0 gateway 20.1.1.2
set route 10.1.1.0/24 interface ethernet3
exit


Screenshot of NS-Remote:

Note that the only difference between "toTrust192.168.1.0" and "toDMZ192.168.2.0" connections is the Subnet.  All other parameters are exactly the same.




"Get" commands on the firewall:
Please note the single Phase 1 IKE VPN (get ike cookie), and two phase 2 SA (get sa).  Also note the proxy-id's.
ns25-> get ike cookie
Active: 1, Dead: 0, Total 1

1097182f/0006, 50.1.1.1:500->20.1.1.1:500, PRESHR/grp2/3DES/SHA, xchg(4) (gateway/grp2/usr1)
resent-tmr 14983440 lifetime 28800 lt-recv 0 nxt_rekey 28695 cert-expire 0
responder, err cnt 0, send dir 1, cond 0x0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 100
DPD seq local 0, peer 0

ns25-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00008001< 50.1.1.1 500 esp:3des/sha1 1982c1f6 3495 unlim A/- 1 0
00008001> 50.1.1.1 500 esp:3des/sha1 d0a9349c 3495 unlim A/- 2 0
00008003< 50.1.1.1 500 esp:3des/sha1 1982c1f7 3579 unlim A/- 3 0
00008003> 50.1.1.1 500 esp:3des/sha1 9637f516 3579 unlim A/- 4 0

ns25-> get sa id 0x8001
index 0, name vpn, peer gateway ip 50.1.1.1. vsys<Root>
auto key. policy node, tunnel mode, policy id in:<1> out:<2>
id hash: >c5>3e>64>e4>f1>68>de>37>50>cc>3b>f6>29>fa>2e>ae>f0>bb>fc>ff
vpngrp:<-1>. sa_list_nxt:<3>.
tunnel id 32769, peer id 0, NSRP Local. dialup, dynamic member. Local interface is ethernet3 <20.1.1.1>.
esp, group 2, 3des encryption, sha1 authentication
autokey, IN active, OUT active
monitor<0>, latency: 0, availability: 0
DF bit: clear
app_sa_flags: 0x2433
proxy id: local 192.168.1.0/255.255.255.0, remote 10.1.1.1/255.255.255.255, proto 0, port 0 ike activity timestamp: 60202479
nat-traversal map not available
incoming: SPI 1982c1f6, flag 00004000, tunnel info 40008001, vector(d:d4a88c)
life 3600 sec, 3488 remain, 0 kb, 0 bytes remain
anti-replay off, idle timeout value <0>, idled 112 seconds
next pak sequence number: 0x0
outgoing: SPI d0a9349c, flag 00000000, tunnel info 40008001, vector(e:d45b20)
life 3600 sec, 3488 remain, 0 kb, 0 bytes remain
anti-replay off, idle timeout value <0>, idled 112 seconds
next pak sequence number: 0x0

ns25-> get sa id 0x8003
index 3, name vpn, peer gateway ip 50.1.1.1. vsys<Root>
auto key. policy node, tunnel mode, policy id in:<3> out:<4>
id hash: >c5>3e>64>e4>f1>68>de>37>50>cc>3b>f6>29>fa>2e>ae>f0>bb>fc>ff
vpngrp:<-1>. sa_list_nxt:<5>.
tunnel id 32771, peer id 0, NSRP Local. dialup, dynamic member. Local interface is ethernet3 <20.1.1.1>.
esp, group 2, 3des encryption, sha1 authentication
autokey, IN active, OUT active
monitor<0>, latency: 0, availability: 0
DF bit: clear
app_sa_flags: 0x2433
proxy id: local 192.168.2.0/255.255.255.0, remote 10.1.1.1/255.255.255.255, proto 0, port 0 ike activity timestamp: 60286053
nat-traversal map not available
incoming: SPI 1982c1f7, flag 00004000, tunnel info 40008003, vector(d:d4a88c)
life 3600 sec, 3556 remain, 0 kb, 0 bytes remain
anti-replay off, idle timeout value <0>, idled 44 seconds
next pak sequence number: 0x0
outgoing: SPI 9637f516, flag 00000000, tunnel info 40008003, vector(e:d45b20)
life 3600 sec, 3556 remain, 0 kb, 0 bytes remain
anti-replay off, idle timeout value <0>, idled 44 seconds
next pak sequence number: 0x0

Purpose:
Configuration

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.