KB Home KB Home Back to all Knowledge Base Browse Knowledge Base Categories Printer Friendly Version Printer Friendly

How do I create a LAN to LAN VPN using preshared secrets to a site with a Dynamically assigned IP address?
Knowledge Base ID: KB6332
Version: 5.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories: . Firewall/IPSec_VPN
. IPSec
. ScreenOS

Synopsis:
Policy-based VPN - One Side has a Dynamic IP using Pre-shared Keys

Problem:
Environment:
  • Preshared secrets
  • Policy Based VPN
  • Static IP Addresses on' one one gateway
  • Dynamically assigned IP address on one gateway

Solution:


This example assumes static IP address is assigned to site A, and site B gets its IP address dynamically via DHCP. Assume the preshared secret used is netscreen. The matrix below will show the proposals we will use for this example:

Site A B
Untrust IP of Firewall 1.1.1.1 DHCP (local id siteb.netscreen.com)
Trust Network 10.1.1.0/24 172.16.10.0/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha

Site A:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site B GW
    2. Security Level: Custom
    3. Remote Gateway: Click Dynamic IP Address, and enter peer id siteb.netscreen.com
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Aggressive
      3. Click Return
    7. Click OK
  3. Click Autokey IKE
  4. Click New
    1. VPN Name: Site B VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
    5. Click OK
  5. Click Policy
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site B VPN
    6. Modify matching bidirectional VPN policy: Enabled
    7. Click Ok
    8. Position at Top: Enabled

Site B:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site A GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    4. Preshared Key: netscreen
    5. Local ID: siteb.netscreen.com
    6. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    7. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Aggressive
      3. Click Return
    8. Click OK
  3. Click Autokey IKE
  4. Click New
    1. VPN Name: Site A VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
    5. Click OK
  5. Click Policy
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site A VPN
    6. Modify matching bidirectional VPN policy: Enabled
    7. Click Ok
    8. Position at Top: Enabled

NOTE:
The VPN tunnel must be initiated from a host behind the gateway with the dynamically assigned IP address. This requires sending any traffic from a host behind the Juniper firewall that has its IP address assigned dynamically. Otherwise, the VPN tunnel will not be built.

Purpose:
Configuration

ASK THE KB
Question or KB ID:



RELATED TOPICS