Juniper Networks - How do I create a Policy Based LAN to LAN VPN using Preshared Keys

Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys

Environment:

Preshared secrets
Policy Based VPN
Static IP Addresses on both gateways of VPN

This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel. Assume the preshared secret used is netscreen. The matrix below will show the proposals we will use for this example:

Site A B

Untrust IP of Firewall 1.1.1.1 2.2.2.1

Trust Network 10.1.1.0/24 172.16.10.0/24

Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha

Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha

Site A:

Click VPNs > AutoKey Advanced > Gateway
Click New
1. Gateway Name: Site B GW
2. Security Level: Custom
3. Remote Gateway: Click Static, and enter IP address 2.2.2.1
4. Preshared Key: netscreen
5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
6. Click Advanced
  1. Phase 1 Proposal: pre-g2-3des-sha
  2. Mode (Initiator): Main
  3. Click Return
7. Click OK
Click Autokey IKE
Click New
1. VPN Name: Site B VPN
2. Security Level: Custom
3. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
4. Click Advanced
  1. Phase 2 Proposal: g2-esp-3des-sha
  2. Click Return
5. Click OK
Click Policy
Select From Trust to Untrust Zone, and click New
1. Source Address: Click New Address, and enter 10.1.1.0/24
2. Destination Address: Click New Address, and enter 172.16.10.0/24
3. Service: Any
4. Action: Tunnel
5. Tunnel: Site B VPN
6. Modify matching bidirectional VPN policy: Enabled
7. Click Ok
8. Position at Top: Enabled

Site B:

Click VPNs > AutoKey Advanced > Gateway
Click New
1. Gateway Name: Site A GW
2. Security Level: Custom
3. Remote Gateway: Click Static, and enter IP address 1.1.1.1
4. Preshared Key: netscreen
5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
6. Click Advanced
  1. Phase 1 Proposal: pre-g2-3des-sha
  2. Mode (Initiator): Main
  3. Click Return
7. Click OK
Click Autokey IKE
Click New
1. VPN Name: Site A VPN
2. Security Level: Custom
3. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
4. Click Advanced
  1. Phase 2 Proposal: g2-esp-3des-sha
  2. Click Return
5. Click OK
Click Policy
Select From Trust to Untrust Zone, and click New
1. Source Address: Click New Address, and enter 172.16.10.0/24
2. Destination Address: Click New Address, and enter 10.1.1.0/24
3. Service: Any
4. Action: Tunnel
5. Tunnel: Site A VPN
6. Modify matching bidirectional VPN policy: Enabled
7. Click Ok
8. Position at Top: Enabled

Configuration

Knowledge Base ID:	KB6210
Version:	4.0
Published:	07 Oct 2008
Updated:	07 Oct 2008
Categories:	Firewall/IPSec_VPN IPSec ScreenOS

Site	A	B
Untrust IP of Firewall	1.1.1.1	2.2.2.1
Trust Network	10.1.1.0/24	172.16.10.0/24
Phase 1 Proposal	pre-g2-3des-sha	pre-g2-3des-sha
Phase 2 Proposal	g2-esp-3des-sha	g2-esp-3des-sha