Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configure ScreenOS Firewall for use with a VPN Client using Pre-shared Keys (ScreenOS 6.0 and later)

0

0

Article ID: KB14878 KB Last Updated: 27 Oct 2011Version: 3.0
Summary:

How to Configure ScreenOS for a Dial-Up VPN with Pre-shared Keys in ScreenOS 6.x

Symptoms:

Environment:

  • Dial Up VPN

  • Remote IPSec client

  • Remote User

  • Need to get into the network from home
Cause:

Solution:

 

Assume the remote user has NetScreen-Remote installed on a laptop, connecting to the Internet. This remote user wants to connect to the Internal network at 172.16.10.0/24.

This example shows the configuration of a group of NetScreen-Remote Dial-Up VPN users, connecting using a Preshared Secret.

On the Juniper Firewall, from the WebUI:

  1. Create Dial User Account:

    Click Objects > Users > Local

  2. Click New

    1. Username: User1

    2. Status: Enable

    3. Click IKE User

    4. Number of Multiple Logins: 1

    5. Click Simple Identity

    6. IKE ID Type:  AUTO

    7. IKE Identity: user1@netscreen.com

    8. Click OK
       

  3. Create Dial Up VPN Group:

    Click Objects > Local Groups

  4. Click New

    1. Group Name: User_Group

      Select the Users desired to add to the group User in the Available Members window, and click the << button to move them over to the Group Members window

    2. Click OK
       
  5. Create the Phase 1 IKE Negotiation:

    Click VPNs > AutoKey Advanced > Gateways

  6. Click New

    1. Gateway Name: Dialup GW

    2. Click Dialup User Group

    3. Group: Select User_Group

    4. Click Advanced

    5. Preshared Key: netscreen

    6. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)

    7. Security Level, User-Defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha

    8. Mode (Initiator): Aggressive

    9. Click Enable NAT Traversal

    10. Click Return

    11. Click OK

  7. Create the Phase 2 IKE Negotiation:

    Click VPNs > AutoKey IKE

  8. Click New

    1. VPN Name: Dialup VPN

    2. Remote Gateway: Predefined

    3. Select Dialup GW for the Predefined Remote Gateway

    4. Click Advanced

      1. Click Custom

      2. Phase 2 Proposal: g2-esp-3des-sha

      3. Click Return

    5. Click OK
       
  9. Create Dial Up VPN Policy:

    Click Policy > Policies

  10. Select From Untrust

  11. Select From Trust

  12. Click New

    1. Source Address: Address Book: Select Dial-Up VPN

    2. Destination Address: Click New Address: 172.16.10.0/24

    3. Service: Any

    4. Action: Tunnel

    5. Tunnel: Dialup VPN

    6. Click Position at Top

    7. Click OK

CLI commands for the above configuration:
set user "User1" ike-id u-fqdn "user1@netscreen.com" share-limit 1
set user "User1" type ike
set user "User1" "enable"
set user-group "User_Group" id 1
set user-group "User_Group" user "User1"
set ike gateway "Dialup GW" dialup "User_Group" Aggr outgoing-interface "ethernet0/0" preshare netscreen proposal "pre-g2-3des-sha"
set ike gateway "Dialup GW" nat-traversal keepalive-frequency 5
set vpn "Dialup VPN" gateway "Dialup GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set address "Trust" "172.16.10.0/24" 172.16.10.0 255.255.255.0
set policy from "Untrust" to "Trust" "Dial-Up VPN" "172.16.10.0/24" "ANY" tunnel vpn "Dialup VPN"

For information on configuring the IPSec client, refer to:

KB22075 - Configure NetScreen-Remote VPN Client with pre-shared Keys

KB17364 - Example configuration of NCP Client

KB22074 - How to configure Shrew Soft VPN client to work with ScreenOS firewalls




If you followed the steps above, and now you need help troubleshooting, refer the VPN Configuration and Troubleshooting Guide.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search