Skip to content

Support Knowledge Base>Submit Feedback

Customer Support Center

How do I configure NetScreen-Remote using Preshared Keys? (KB ID: KB5746)

Article ID: KB5746
Former Article ID: nskb2382
Published: May 25, 2006
Last Modified: May 25, 2006
Visible By: Employee, PTAC, Partner, Customer, Public

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB5746

Synopsis

How do I configure NetScreen-Remote using Preshared Keys?

Problem

Environment:

  • Preshared Secret
  • VPN Client
Symptoms & Errors:
  • Do not have a choice to enter preshared secret after clicking My Identity

Solution

Creating a Dial Up VPN from NetScreen-Remote to NetScreen has been supported since ScreenOS 2.5.  The minimum requirements are:

  • NetScreen device running ScreenOS 2.5 or higher
  • NetScreen-Remote 2.0 or higher
  • The NetScreen device must have a statically assigned IP address on the Untrust interface.  If the NetScreen obtains its IP address via DHCP or PPPoE, Dial Up VPN is not supported to that NetScreen

Basic Steps:

  1. Create a Dial Up VPN User.  If a Dial Up VPN Group is desired, add the Dial Up VPN User to that group
  2. Create an IKE Gateway (P1), and specify a Preshared Secret to be used by everyone in that group
  3. Create the VPN (P2), specifying the IKE Gateway that was defined in step 2.
  4. Create the VPN Policy, using the tunnel as specified in step 3.

Example:  Assume a remote user needs to VPN into the corporate network.  The network topology is shown below:


Assume the Remote user is given an IKE ID with email address remote@acme.com.  The untrust gateway of the NetScreen (which is the security gateway that NetScreen-Remote will talk to) is 1.1.1.1.  The destination is the internal network 172.16.10.0/24 (or 172.16.10.0 255.255.255.0).

This example shows how to configure the VPN based on ScreenOS 2.6.0 and NetScreen-Remote 7.0:

Configure Address Book Entry for the Internal Network:

  1. Click Address
  2. Click Trust tab
  3. Click New Address
    1. Name: Internal Net
    2. IP Address: 172.16.10.0
    3. Netmask: 255.255.255.0
    4. Click OK.

Create the Dial Up VPN User

  1. Click Users
  2. Click New IKE/L2TP Users/Group
    1. Name:  Remote User
    2. Click Enable
    3. Select IKE User
    4. IKE Identity: remote@acme.com

Create the Phase 1 Proposals:

  1. Click the VPN Button
  2. Click IKE Gateway tab
  3. Click New Remote Gateway
    1. Name: Remote GW
    2. Click Dial Up User
    3. User Group: Remote User
    4. Click Aggressive mode
    5. Phase 1 Proposal: pre-g2-3des-md5
    6. Preshared Key: NetScreen
    7. Click OK.

Create the Phase 2 Proposals:

  1. Name: Remote VPN
  2. Gateway: Select Remote GW
  3. Phase 2 Proposal: nopfs-esp-3des-md5
  4. Replay Protection: Leave disabled
  5. VPN Monitor: Leave disabled
  6. Click OK

Configure the Policy for the Dial Up VPN

In ScreenOS 2.6 and higher, the Dial Up VPN policy requires one incoming policy. For ScreenOS 2.5 and below, the Dial Up VPN policy requires only one outgoing policy.

For ScreenOS 2.6:

  1. Click Policy button
  2. Click the Incoming tab
  3. Click New Policy
    1. Source Address: Dial-Up VPN
    2. Destination Address: Internal Net
    3. Service: Any
    4. VPN Tunnel: Remote VPN
    5. Click OK

Note: In ScreenOS 3.0.0 or higher, the Tunnel field is equivalent to the VPN Tunnel field in ScreenOS 2.6.0.

NetScreen Remote Configuration

  1. Create a New Connection
  2. ID Type: IP Subnet
    1. Subnet: 172.16.10.0
    2. Mask: 255.255.255.0
  3. Click Connect using Secure Gateway Tunnel
    1. ID Type: IP address, 1.1.1.1
  4. Expand the New Connection
  5. Click Security Policy
    1. Under Select Phase 1 Negotiation Mode, select Aggressive Mode.
    2. De-select Replay Protection
  6. Expand Security Policy
  7. Expand Authentication (Phase 1)
  8. Click Proposal 1
    1. Authentication Method: Pre-Shared Key
    2. Encrypt Alg: Triple DES
    3. Hash Alg: MD5
    4. Key Group: Diffie-Helman Group 2
  9. Expand Key Exchange (Phase 2)
  10. Click Proposal 1
    1. Encrypt Alg: Triple DES
    2. Hash Alg: MD5
  11. Click My Identity
    1. Click Preshared Key
      1. Click Enter Key
      2. Enter the Preshared Key NetScreen
      3. Click OK
    2. Select Certificate: None
    3. ID Type: Email Address
    4. Enter the email address remote@acme.com in the field below ID Type
  12. Save the security policy by clicking the floppy disk icon

 


Category Description

By Product » Software » Network Operating Systems » ScreenOS Software » 2.6.x » 2.6.1
By Product » Software » Network Operating Systems » ScreenOS Software » 2.6.x » 2.6.0
By Product » Software » Network Operating Systems » ScreenOS Software » 2.5.x » 2.5.0
By Product » Software » VPN Clients » NetScreen-Remote Security Client
By Product » Software » VPN Clients » NetScreen-Remote VPN Client
By Network Technology » IP Protocols » Tunneling Protocols » IPSec

Purpose

Troubleshooting

Related Articles


Related Links


Related Files