Title:  LAN-to-LAN Route Based VPN

Document Number:  VPN-310-001

Version:  1.0

OS Ver. this Paper Applies to:  3.1.0 or higher

HW Platforms this Paper Applies to:  All

Audience (Internal or External):  External

 
 

 

 

 

 

 


Purpose

 

This paper will go through the basic procedure of setting up a LAN-to-LAN Route-based VPN.   

 

Route Based vs. Policy Based VPNs

 

One of the newest features in ScreenOS 3.1.0 and above is the ability to create a route-based VPN.  Previous to ScreenOS 3.1.0, all VPNs were created using a policy-based VPN.  With route-based VPN, traffic is tunneled through a route, resulting in faster IKE negotiations, and more flexibility when designing a VPN network.

 

 

Minimum Requirements

 

Only requirements for route based VPN is the NetScreen must be running ScreenOS 3.1.0 or higher.  The remote end can use either route based or policy based VPN.

 

Example

 

In this example, Site A needs to be configured for route-based VPN.  Site B can be either route based or policy based. 

 

 

 

Site A: 

Local Network: 192.168.1.0/24

Remote Network: 10.1.1.0/24

Local Untrust Interface: 1.1.1.1

 

Site B:

Local Network: 10.1.1.0/24

Remote Network: 192.168.1.0/24

Local Untrust Interface:  2.2.2.1

Basic Configuration Steps

 

Here are the basic steps to configuring the route based VPN:

 

  1. Create a Tunnel interface, bound to the untrust interface
  2. Create the Phase 1 IKE Gateway configuration
  3. Create Phase 2 VPN configuration
    1. Bind to the tunnel interface from step 1
    2. Enable proxy id, and specify the local and remote networks
  4. Add static route for the remote network using an the tunnel interface as the outgoing interface
  5. Create LAN-to-LAN policy, using action of Permit.  Do not choose tunnel.

 

Create the Tunnel Interface

 

From the WebUI:

 

  1. Click Interface button
  2. Click Tunnel tab
  3. Click New Entry
    1. Tunnel Interface Name: Tunnel.1
    2. Zone: Untrust
    3. Click Unnumbered
    4. Interface: ethernet3(Untrust)
    5. Click Save
 
 

 

Create the Phase 1 IKE Gateway

 

For route based VPN, the configuration of Phase 1 IKE Gateway is no different than with policy based VPN.  For this example:

 

  1. Click VPN button.  This takes you to the Gateway (P1) tab.
  2. Click New Remote Tunnel Gateway

a.       Gateway Name: Site B

b.       Static IP:  2.2.2.1

c.       Mode (Initiator): Main

d.       Outgoing Interface: Ethernet3

e.       Phase 1 Proposal: pre-g2-3des-sha

f.      Preshared Key: netscreen

g.       Click Ok

 

 

Create the Phase 2 Autokey VPN

 

In route based VPN, the phase 2 Autokey configuration differs from policy based, in that the VPN is bound to the tunnel interface created above.  The proxy id is specified here, as opposed to the policy based VPN, where it takes the address book from the policy, and uses that for the proxy id.  Since this is route based, the proxy id must be specified in the Phase 2 Autokey.

 

  1. Click Autokey (P2)
  2. Click New Autokey IKE Entry

a.       Name: Site B VPN

b.       Enable Replay Protection: Enable

c.       Remote Gateway Tunnel: Site B

d.       Phase 2 Proposal: g2-esp-3des-sha

e.       Bind to: Tunnel Interface: tunnel.1

f.      Enable Proxy-ID

                                                               i.      Local IP: 192.168.1.0

                                                             ii.      Netmask: 255.255.255.0

                                                            iii.      Remote IP: 10.1.1.0

                                                            iv.      Netmask: 255.255.255.0

                                                              v.      Service: Any

 

 

 

 

 

Static Route for the VPN

 

The configuration of the IKE negotiation is complete, but now, the routing needs to be configured.  The remote network is on 10.1.1.0/24 network.  A route needs to be added for this, using the tunnel.1 interface as the routed interface.

  1. Click Routing button.  This will take you to the Route Table tab.
  2. Click New Entry.

a.       Virtual Router Name: untrust-vr

b.       Network Address: 10.1.1.0

c.       Netmask: 255.255.255.0

d.       Click Gateway

                                                               i.      Interface: tunnel.1 (untrust-vr)

                                                             ii.      Gateway Address: 0.0.0.0

                                                            iii.      Metric: 1

 

 

Create the LAN to LAN Policy

 

The final step is to create the policy for this LAN-to-LAN VPN.  Previous to ScreenOS 3.1, the action of tunnel was required.  For route based VPN, the VPN is already taken care of by the routing engine.  The policy must be created with an action of permit.  The outgoing policy would be created as follows:

 

  1. Click Policies
  2. On the Policy Page:

a.       From Zone: Trust

b.       To Zone: Untrust

c.       Click New Policy

  1. Policy Configuration Page

a.       Source: 192.168.10.0/24

b.       Destination: 10.1.1.0/24

c.       Service: Any

d.       Action: Permit

 

  This completes the configuration of the route-based VPN.  The remote side can be configured with either route based or policy based VPN.