Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configure ScreenOS Firewall for use with a VPN Client using Pre-shared Keys (ScreenOS 6.0 and later)

0

0

Article ID: KB14878 KB Last Updated: 11 Mar 2020Version: 4.0
Summary:

How to Configure ScreenOS for a Dial-Up VPN with Pre-shared Keys in ScreenOS 6.x

Symptoms:

Environment:

  • Dial Up VPN
  • Remote IPSec client
  • Remote User
  • Need to get into the network from home
Solution:

 

Assume the remote user has a VPN client installed on a laptop connected to the Internet. This remote user wants to connect to the Internal network at 172.16.10.0/24.

This example shows the configuration of a group of Dial-Up VPN users, connecting using a Preshared Secret.

On the Juniper Firewall, from the WebUI:

  1. Create Dial User Account.  Go to Objects > Users > Local

  2. Click New and enter the following:
    1. Username: User1
    2. Status: Enable
    3. Click IKE User
    4. Number of Multiple Logins: 1
    5. Click Simple Identity
    6. IKE ID Type:  AUTO
    7. IKE Identity: user1@host.example.com
    8. Click OK

  3. Create a Dial Up VPN Group.  Go to  Objects > Local Groups

  4. Click New and enter the Group Name: User_Group

  5. In the Available Members window, select the Users that should be added to the group.  Click the '<<' button to move them over to the Group Members window.  Click OK

  6. Create the Phase 1 IKE Negotiation.  Go to  VPNs > AutoKey Advanced > Gateways

  7. Click New and enter the following:
    1. Gateway Name: Dialup GW
    2. Click Dialup User Group
    3. Group: Select User_Group
    4. Click Advanced
    5. Preshared Key: netscreen
    6. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
    7. Security Level, User-Defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
    8. Mode (Initiator): Aggressive
    9. Click Enable NAT Traversal
    10. Click Return
    11. Click OK

  8. Create the Phase 2 IKE Negotiation.  Go to VPNs > AutoKey IKE

  9. Click New and enter the following:
    1. VPN Name: Dialup VPN
    2. Remote Gateway: Predefined
    3. Select Dialup GW for the Predefined Remote Gateway
    4. Click Advanced
      1. Click Custom
      2. Phase 2 Proposal: g2-esp-3des-sha
      3. Click Return
    5. Click OK
       
  10. Create Dial Up VPN Policy.  Go to Policy > Policies

  11. Select 'From Untrust'

  12. Select 'From Trust'

  13. Click New and enter the following
    1. Source Address: Address Book: Select Dial-Up VPN
    2. Destination Address: Click New Address: 172.16.10.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Dialup VPN
    6. Click Position at Top
    7. Click OK
OR
On the Juniper Firewall, from the CLI (commands for the above configuration):
set user "User1" ike-id u-fqdn "user1@host.example.com" share-limit 1
set user "User1" type ike
set user "User1" "enable"
set user-group "User_Group" id 1
set user-group "User_Group" user "User1"
set ike gateway "Dialup GW" dialup "User_Group" Aggr outgoing-interface "ethernet0/0" preshare netscreen proposal "pre-g2-3des-sha"
set ike gateway "Dialup GW" nat-traversal keepalive-frequency 5
set vpn "Dialup VPN" gateway "Dialup GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set address "Trust" "172.16.10.0/24" 172.16.10.0 255.255.255.0
set policy from "Untrust" to "Trust" "Dial-Up VPN" "172.16.10.0/24" "ANY" tunnel vpn "Dialup VPN"
 

For information on configuring the IPSec client, refer to: KB17364 - Example configuration of NCP Client

Modification History:
2020-03-11: removed references to NS Remote (as it is EOS)
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search