Juniper Networks - How do I create a Policy Based LAN to LAN VPN using Preshared Keys (ScreenOS 6.0 and later)

Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys in ScreenOS 6.x

Environment:

Preshared secrets
Policy Based VPN
Static IP Addresses on both gateways of VPN

This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel.
The preshared secret used is netscreen.
The matrix below will show the proposals we will use for this example:

Site A B

Untrust IP of Firewall 1.1.1.1 (eth0/0) 2.2.2.1 (eth0/0)

Trust Network 10.1.1.0/24 172.16.10.0/24

Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha

Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha

Site A:

Click VPNs > AutoKey Advanced > Gateway
Click New
1. Gateway Name: Site B GW
2. Remote Gateway: Click Static, and enter IP address 2.2.2.1
3. Click Advanced
4. Preshared Key: netscreen
5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
6. Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
7. Mode (Initiator): Main
8. Click Return
9. Click OK
Click VPNs > Autokey IKE
Click New
1. VPN Name: Site B VPN
2. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
3. Click Advanced
4. Security Level, User Defined: Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
5. Click VPN Monitor (recommended)
6. Click Optimized (recommended)
7. Click Rekey (recommended)
8. Click Return
9. Click OK (Important)
Click Policy > Policies
Select From Trust to Untrust Zone, and click New
1. Source Address: Click New Address, and enter 10.1.1.0/24
2. Destination Address: Click New Address, and enter 172.16.10.0/24
3. Service: Any
4. Action: Tunnel
5. Tunnel: Site B VPN
6. Check Modify matching bidirectional VPN policy
7. Position at Top: Enabled
8. Click Ok

Site B:

Click VPNs > AutoKey Advanced > Gateway
Click New
1. Gateway Name: Site A GW
2. Remote Gateway: Click Static, and enter IP address 1.1.1.1
3. Click Advanced
4. Preshared Key: netscreen
5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
6. Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
7. Mode (Initiator): Main
8. Click Return
9. Click OK
Click VPNs > Autokey IKE
Click New
1. VPN Name: Site A VPN
2. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
3. Click Advanced
4. Security Level, User Defined: Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
5. Click VPN Monitor (recommended)
6. Click Optimized (recommended)
7. Click Rekey (recommended)
8. Click Return
9. Click OK (Important)
Click Policy > Policies
Select From Trust to Untrust Zone, and click New
1. Source Address: Click New Address, and enter 172.16.10.0/24
2. Destination Address: Click New Address, and enter 10.1.1.0/24
3. Service: Any
4. Action: Tunnel
5. Tunnel: Site A VPN
6. Check Modify matching bidirectional VPN policy
7. Position at Top: Enabled
8. Click Ok

If you followed the steps above, and now you need help troubleshooting, refer the VPN Configuration & Troubleshooting Guide.

Configuration

Knowledge Base ID:	KB15074
Version:	1.0
Published:	26 Aug 2009
Categories:	Firewall/IPSec_VPN IPSec ScreenOS

Site	A	B
Untrust IP of Firewall	1.1.1.1 (eth0/0)	2.2.2.1 (eth0/0)
Trust Network	10.1.1.0/24	172.16.10.0/24
Phase 1 Proposal	pre-g2-3des-sha	pre-g2-3des-sha
Phase 2 Proposal	g2-esp-3des-sha	g2-esp-3des-sha