Knowledge Search


×
 

[ScreenOS] How To: Create Multiple Dial Up VPN using same IKE ID (ScreenOS 6.0 and later)

  [KB14883] Show Article Properties


Summary:
How To: Create Multiple Dial Up (Policy-Based) VPN using same IKE ID
Symptoms:
Environment:
  • Shared IKE ID
  • Deploy large number of remote clients
Solution:

Note:  This policy-based VPN example applies to ScreenOS 6.x.  For other examples, refer to KB8535 - Configuring a NetScreen-Remote Dial-Up VPN.

 

"Shared IKE ID".  This ScreenOS feature allows you to deploy and manage a large-scale distribution of NetScreen-Remote (NSR) VPN Clients, with minimal configuration on both the Firewall and the NetScreen-Remote client.  Administrators can deploy a single IKE tunnel ID for the NSR Clients and require each user to Authenticate with an individual ID. This saves administration work by:

  1. Providing IPSec protection with a common VPN tunnel configuration and
  2. Should an employee leave the company, the administrator is no longer required to re-deploy a new group user-id.

Example:  Assume two users, Mike and Joe, are trying to access a server on the trusted side of the Juniper Firewall. The Administrator wants to deploy a single VPN Dial-up User configuration and have each user authenticated individually.

 

 

  NetScreen-Remote NetScreen
Shared IKE User   Remote_Sales
Shared IKE ID sales@ns.com sales@ns.com
User Group   R_S
XAuth User 1/ Password Joe/netscreen  
XAuth User 2 / Password Mike/support  
Phase 1 Proposals Preshared Secret;Extended Authentication
Triple DES; SHA; Diffie-Hellman Group 2
pre-g2-3des-sha
Phase 2 Proposals Triple DES; SHA-1 nopfs-esp-3des-sha

 

The basic steps in deploying this configuration is as follows:

ScreenOS Firewall Side:

  1. Define an IKE ID User (Without xauth authentication)
  2. Assign the IKE ID User from step 1 to a new Dial Up User Group
  3. Define separate XAuth Users (with no IKE ID configuration)
  4. Define IKE Phase 1 Gateway, and DO NOT SELECT "Use as Seed"
  5. Define IKE Phase 2 VPN as usual
  6. Define Dial Up VPN policy as usual

NetScreen-Remote VPN Client Side:

  1. Enter Remote Party Identity and Address, and Secure Gateway Tunnel as normal
  2. Under My Identity, select ID type email address, and enter the IKE ID from step 2 on the NetScreen Side procedure
  3. Click Pre-Shared Key, and enter the preshared key defined from step 4 on the NetScreen Side procedure
  4. Configure Phase 1 for Xauth and Phase 2 to match the configuration on the NetScreen side
 

Configuration of ScreenOS Firewall Side:

WebUI
  1. Create Local Users.  Select: Objects > Users > Local
    1. Create User: Remote_Sales.  Click New and enter the following:
      • Username: Remote_Sales
      • Enable IKE User (Do not select XAuth User)
      • Number of Multiple Logins with Same ID: 250 (Choose whatever number of simultaneous users you want logging in under this IKE ID. 
      • Click Simple Identity
      • IKE ID Type:  AUTO
      • IKE Identity: sales@ns.com    (Note: IKE ID must be an e-mail address)
    2. Click OK
    3. Create User: Joe.  Click New and enter the following:
      • Username: Joe
      • Click XAuth User (Do not select IKE User)
      • User Password: password4joe
      • Confirm Password: password4joe
    4. Click OK
    5. Create User: Mike.  Click New and enter the following:
      • Username: Mike
      • Click XAuth User (Do not select IKE User)
      • User Password: password4mike
      • Confirm Password: password4mike
    6. Click OK
  2. Create a Local Group.  Select: Objects > Users > Local Groups
    1. Click New
    2. Enter Group Name: R_S
    3. Under Available Members, select Remote_Sales, and click << directional button
    4. Click OK
  3. Add the Gateway.  Select VPNs > AutoKey Advanced > Gateway
    Note:  If you do not have an Authentication Server configured for XAuth, refer to the Example: RADIUS Auth Server on p.33 of the ScreenOS Concepts & Examples Guide - Vol 9 - Authentication Servers.
    1. Click New
    2. Enter Gateway Name: Sales
    3. Click Dialup User Group, and select R_S from the Group pulldown menu
    4. Click Advanced
    5. Preshared Key: sharedikeid (Do not enable "Use as Seed"; parameter to be used when configuring Group IKE ID with Global Pro/Express)
    6. Outgoing Interface: ethernet0/0 (Choose whatever interface is your outgoing interface to the Internet)
    7. Click Security Level: Select Custom, and select Phase 1 Proposal pre-g2-3des-sha
    8. Click Mode (Initiator): Aggressive
    9. Click Enable NAT-Traversal
    10. Click Return
    11. Click OK
  4. Set the XAuth settings: Select  VPNs > AutoKey Advanced > XAuth Settings
    1. Default Authentication Server:  From pull-down, select your XAuth Server.
    2. Click Apply
  5. Create the AutoKey IKE.  Select VPNs > AutoKey IKE
    1. Click New
    2. Enter VPN Name: Sales VPN
    3. Select Remote Gateway: Click Predefined, and select Sales from the pulldown menu
    4. Click Advanced and Click Return
    5. Select Security Level: Select Custom, and select Phase 2 Proposal nopfs-esp-3des-sha
    6. Click OK
  6. Configure the Policies.  Select Policy > Policies
    1. Select From Untrust to Trust zone, and click New
    2. Enter Source Address:Click Address Book, and select Dial-Up VPN
    3. Enter Destination Address: Click New Address, and enter 172.16.10.0/24
    4. Set Service: ANY
    5. Set Action: Tunnel
    6. Set Tunnel VPN: Sales_VPN
    7. Click OK
CLI:
set user "Remote_Sales" type ike
set user "Remote_Sales" ike-id "sales@ns.com" share-limit 25
set user "Remote_Sales" enable

set user-group "R_S" location local
set user-group "R_S" user "Remote_Sales"

set user "Joe" password "password4joe"
set user "Joe" type xauth
set user "Joe" enable
set user "Mike" password "password4mike"
set user "Mike" type xauth
set user "Mike" enable

set ike gateway "Sales" dialup "R_S" aggressive outgoing-interface ethernet0/0 preshare "sharedikeid" proposal "pre-g2-3des-sha"
set ike gateway "Sales" nat-traversal
set ike gateway "Sales" nat-traversal keepalive-frequency 5
set xauth default auth server "Local"
set vpn "Sales VPN" gateway "Sales" no-replay tunnel proposal "nopfs-esp-3des-sha"
unset vpn "Sales VPN" monitor

set address "Trust" "172.16.10.0/24" 172.16.10.0/24
set policy from "Untrust" to "Trust" "Dial-Up VPN" "172.16.10.0/24" "ANY" tunnel vpn "Sales VPN"
 

Configuration of NetScreen-Remote Side:

  1. Create New Policy by clicking the New Connection icon on upper left corner.  Label this new connection Corporate
  2. On Remote Party Identity and Addressing
    1. Set ID Type: IP Subnet
    2. Enter Subnet: 172.16.10.0
    3. Enter Netmask: 255.255.255.0
    4. Click Connect using Secure Gateway Tunnel
    5. Enter ID Type: IP Address: 1.1.1.1
  3. Expand the connection Corporate
    1. Click Security Policy
      1. Select Phase 1 Negotiation Mode: Aggressive
      2. De-Select Enable Perfect Forward Secrecy (PFS)
      3. De-select "Enable Replay Detection"
    2. Click My Identity
      1. Select Certificate: None
      2. ID Type: Email address: sales@ns.com
      3. Click Pre-Shared Key
      4. Click Enter Key
      5. Click OK
      6. Enter the Pre-shared key sharedikeid
    3. Expand Security Policy
      1. Expand Authentication (Phase 1)
        1. Select Proposal  1
        2. Authentication Method: Pre-Shared Key;Extended Authentication
        3. Encryption Alg: Triple DES
        4. Hash Alg: SHA
        5. SA Life: Unspecified
        6. Key Group: Diffie-Hellman Group 2
      2. Expand Key Exchange (Phase 2)
        1. Select Proposal 1
        2. Encrypt Alg. Triple DES
        3. Hash Alg. SHA
        4. Encapsulation: Tunnel
    4. Click Save

For information on configuring other IPSec VPN clients, refer to:
 


How this works:

During Phase 1 negotiations, the Firewall device first authenticates the VPN client by matching the VPN Tunnel IKE ID and preshared key sent from the client with that configured on the Firewall device. If there is a match, then the Firewall device will use XAuth to authenticate the individual user. A login prompt is sent from the Firewall to the user at the remote site. This occurs between Phase 1 and Phase 2 IKE negotiations. If the remote user successfully logs on with the correct user name and password, Phase 2 negotiations begin.

Now, an administrator can export this same SPD file to all remote users.  Every user will import the same spd file into the NetScreen-Remote VPN Client.  When trying to build a tunnel, they will be required to enter their own XAuth Username and Password.  In this example, when Joe hooks up to the VPN, he will be prompted for a login.  He will enter Joe/netscreen.  When Mike wants to hook up to the VPN, he will be prompted for a login, and he will enter Mike/support.



If you followed the steps above, and now you need help troubleshooting, refer the VPN Configuration & Troubleshooting Guide.
 
Modification History:
2017-12-07: Article reviewed for accuracy. Added ScreenOS tag in the title. . Article is correct and complete.
Related Links: