Juniper Networks - How to: Create a LAN to LAN VPN using the Juniper Firewall as an XAuth Client

How to: Create a LAN to LAN VPN using the Juniper Firewall as an XAuth Client

Environment:

XAuth client
LAN to LAN VPN
Untrust IP obtained via DHCP

Site	A	B
Untrust IP of Firewall	Dynamic IP	172.16.20.1
Trust Network	192.168.10.0/24	192.168.20.0/24
Local ID	ns5xt.netscreen.com	N/A
Peer ID		ns5xt.netscreen.com
Preshared Key	support	support
Phase 1 Proposal	pre-g2-3des-sha	pre-g2-3des-sha
Phase 2 Proposal	g2-esp-3des-sha	g2-esp-3des-sha

Building a VPN using a Juniper Firewall as an XAuth client requires you to create an XAuth user account on the remote gateway, or have the remote gateway look up a radius server, for purposes of authenticating the XAuth user during phase 1 IKE negotiation. In this example, we will create an XAuth user account on Juniper Firewall-B.

Configuration of Juniper Firewall-B:

Create the XAuth User on Juniper Firewall-B:

Click Objects > Users > Local
Click New
1. User Name: XAuth
2. Click XAuth User
3. User Password:netscreen
4. Confirm Password:netscreen
Click OK

Phase 1 on Juniper Firewall-B:

Click VPNs > AutoKey Advanced > Gateway
Click New
1. Gateway Name: XAuth GW
2. Remote Gateway Type
  1. Click Dynamic IP Address
  2. Peer ID: ns5xt.netscreen.com
3. Preshared Key: support
4. Click Advanced
  1. Security Level: User Defined
  2. Phase 1 Proposal: pre-g2-3des-sha
  3. Mode (Initiator): Aggressive
  4. Click XAuth Server
  5. Click Return
5. Click OK

Phase 2 on Juniper Firewall-B:

Click VPNs > Auto Key IKE
Click New
1. VPN Name: XAuth VPN
2. Remote Gateway
  1. Predefined
  2. XAuth GW
3. Click Advanced
  1. Security Level: User Defined
  2. g2-esp-3des-sha
  3. Click Return
4. Click OK

VPN Policy on Juniper Firewall-B;

Click Policies
Select From Trust to Untrust Zone and click New
1. Source Address:
  1. Click New Address: 192.168.20.0 / 24
2. Destination Address:
  1. Click New Address: 192.168.10.0 / 24
3. Service: ANY
4. Action: Tunnel
5. Tunnel VPN: XAuth VPN
6. Click Modify matching bidirectional VPN policy
7. Click Position at Top
8. Click OK

Configuration of Juniper Firewall-A:

Phase 1 on Juniper Firewall-A:

Click VPNs > AutoKey Advanced > Gateway
Click New
1. Gateway Name: XAuth GW B
2. Remote Gateway Type:
  1. Click Static IP Address
  2. 172.16.20.1
3. Preshared Key: support
4. Local ID: ns5xt.netscreen.com
5. Click Advanced
  1. Security Level: User Defined
  2. Phase 1 Proposal: pre-g2-3des-sha
  3. Mode (Initiator): Aggressive
  4. Click XAuth Client
    1. Username: XAuth
    2. Password: netscreen
  5. Click Return
6. Click OK

Phase 2 on Juniper Firewall-A:

Click VPNs > Auto Key IKE
Click New
1. VPN Name: XAuth VPN B
2. Remote Gateway
  1. Predefined
  2. XAuth GW B
3. Click Advanced
  1. Security Level: User Defined
  2. g2-esp-3des-sha
  3. Click Return
4. Click OK

VPN Policy on Juniper Firewall-A:

Click Policies
Select From Trust to Untrust Zone and click New
1. Source Address:
  1. Click New Address: 192.168.10.0 / 24
2. Destination Address:
  1. Click New Address: 192.168.20.0 / 24
3. Service: ANY
4. Action: Tunnel
5. Tunnel VPN: XAuth VPN B
6. Click Modify matching bidirectional VPN policy
7. Click Position at Top
8. Click OK

The VPN tunnel has to be initiated from Juniper Firewall-A, the XAuth client. Behind the scenes, Juniper Firewall-A will be challenged for an XAuth login/password, and Juniper Firewall-A will send the XAuth credentials as defined in Phase 1.

.

Configuration

Knowledge Base ID:	KB6699
Version:	4.0
Published:	07 Oct 2008
Updated:	07 Oct 2008
Categories:	Firewall/IPSec_VPN IPSec ScreenOS