Juniper Networks - Configuring the Juniper Firewall Device Side VPN With XAuth

To configure the Juniper Firewall device side VPN with XAuth, perform the following steps:

Open the WebUI. For more information on accessing the WebUI, go to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI .

From the ScreenOS options menu, click Objects, and then click to select IP Pools.

Image of step two

Click New.

Image of step three

From the Edit screen, enter an IP Pool Name, Start IP, and End IP.

For this example, we have entered an IP Pool Name of XAuthIPPool, a Start IP of 192.168.100.1, and an End IP of 192.168.100.100.

You must enter an IP Pool that is different from any other assigned address on the Firewall device.

Image of step four and five

Click OK.

From the ScreenOS options menu, click Objects, click Users, and then click to select Local.

Image of step six

Click New.

Image of step seven

From Auth/IKE/L2TP/XAuth User, enter a User Name.

For this example, we have entered xauthuser.

Image of step eight and nine

From Status, click Enable.

Click IKE User, and then click to select Simple Identity.

Image of step ten and eleven

From IKE Identity, enter an IKE Identity.

For this example, we have entered xauth@auth.com.

Click to select XAuth User, enter a User Password, and then Confirm Password.

Image of step twelve and thirteen

Click OK.

From the ScreenOS options menu, click VPNs, click AutoKey Advanced, and then click to select XAuth Settings.

Image of step fourteen

On the XAuth Settings page, from the IP Pool Name drop-down menu, click to select an IP Pool Name.

For this example, we have selected xauthIPPool.

Image of step fifteen and note

If you decide to use External Authentication, use a third-party server such as Radius, Secure-ID or LDAP. If you decide to use the default Local Authentication Database on the Juniper Firewall, then you must select the IP Pool that you are going to use for the XAuth users under IP Pool Name, and enter the appropriate IP addresses for DNS and WINS. The other settings in this page are used for external authentication servers.

For this example, we have entered a DNS Primary Server IP of 10.1.1.100, a DNS Secondary Server IP of 200.1.1.1, a WINS Primary Server IP of 10.1.1.100, and a WINS Secondary Server IP of 10.1.1.101.

Click Apply.

Image of step sixteen

From the ScreenOS options menu, click VPNs, click AutoKey Advanced, and then click to select Gateway.

Image of step seventeen

Click New.

Image of step eighteen

From the Edit page, enter a Gateway Name, and then click to select Custom.

For this example, we have entered XAuthuserGate.

Image of step nineteen

From Remote Gateway Type, click to select Dialup User. From the User drop-down menu, click to select a User.

For this example, we have selected xauthuser.

Image of step twenty

From the Preshared Key text box, enter a Preshared Key.

Image of step twenty-one and twenty-two

Click Advanced.

The Outgoing Interface should be the outgoing interface that the XAuth users will use.

From Security Level, and from User Defined, click Custom.

Image of step twenty-three and twenty-four

From Phase 1 Proposal, click to choose an encryption level, and then click Aggressive.

If you are behind a NAT device, select Enable NAT-Traversal.

Click Enable XAuth, and then click to select Use Default.

Image of step twenty-five

Select Use Default if you are using the local global XAuth settings. If you are going to use groups of users or the local to allow a more specific identification for the users and the group users, then you can select Local Authentication or External Authentication.