How To: Create Multiple Dial Up (Policy-Based) VPN using same IKE ID

Environment:

• Shared IKE ID
• Deploy large number of remote clients

Note:  This policy-based VPN example applies to ScreenOS 6.x. 

 

"Shared IKE ID".  This ScreenOS feature allows you to deploy and manage a large-scale distribution of VPN Clients, with minimal configuration on both the Firewall and the VPN client.  Administrators can deploy a single IKE tunnel ID for the VPN Clients and require each user to Authenticate with an individual ID. This saves administration work by:

1. Providing IPSec protection with a common VPN tunnel configuration and
2. Should an employee leave the company, the administrator is no longer required to re-deploy a new group user-id.

Example:  Assume two users, Mike and Joe, are trying to access a server on the trusted side of the Juniper Firewall. The Administrator wants to deploy a single VPN Dial-up User configuration and have each user authenticated individually.

 

 

	VPN Client	NetScreen FW
Shared IKE User		Remote_Sales
Shared IKE ID	salestest@host.example.com	salestest@host.example.com
User Group		R_S
XAuth User 1/ Password	Joe/password1
XAuth User 2 / Password	Mike/password2
Phase 1 Proposals	Preshared Secret;Extended Authentication Triple DES; SHA; Diffie-Hellman Group 2	pre-g2-3des-sha
Phase 2 Proposals	Triple DES; SHA-1	nopfs-esp-3des-sha

 

The basic steps in deploying this configuration is as follows:

ScreenOS Firewall Side:

1. Define an IKE ID User (Without xauth authentication)
2. Assign the IKE ID User from step 1 to a new Dial Up User Group
3. Define separate XAuth Users (with no IKE ID configuration)
4. Define IKE Phase 1 Gateway, and DO NOT SELECT "Use as Seed"
5. Define IKE Phase 2 VPN as usual
6. Define Dial Up VPN policy as usual

VPN Client Side:

1. Enter Remote Party Identity and Address, and Secure Gateway Tunnel as normal
2. Under My Identity, select ID type email address, and enter the IKE ID from step 2 on the NetScreen Side procedure
3. Click Pre-Shared Key, and enter the preshared key defined from step 4 on the NetScreen Side procedure
4. Configure Phase 1 for Xauth and Phase 2 to match the configuration on the NetScreen side

 

---

Configuration of ScreenOS Firewall Side:

WebUI

1. Create Local Users.  Select: Objects > Users > Local
   1. Create User: Remote_Sales.  Click New and enter the following:
      • Username: Remote_Sales
      • Enable IKE User (Do not select XAuth User)
      • Number of Multiple Logins with Same ID: 250 (Choose whatever number of simultaneous users you want logging in under this IKE ID. 
      • Click Simple Identity
      • IKE ID Type:  AUTO
      • IKE Identity: salestest@host.example.com    (Note: IKE ID must be an e-mail address)
   2. Click OK
   3. Create User: Joe.  Click New and enter the following:
      • Username: Joe
      • Click XAuth User (Do not select IKE User)
      • User Password: password4joe
      • Confirm Password: password4joe
   4. Click OK
   5. Create User: Mike.  Click New and enter the following:
      • Username: Mike
      • Click XAuth User (Do not select IKE User)
      • User Password: password4mike
      • Confirm Password: password4mike
   6. Click OK
2. Create a Local Group.  Select: Objects > Users > Local Groups
   1. Click New
   2. Enter Group Name: R_S
   3. Under Available Members, select Remote_Sales, and click << directional button
   4. Click OK
3. Add the Gateway.  Select VPNs > AutoKey Advanced > Gateway
   Note:  If you do not have an Authentication Server configured for XAuth, refer to the Example: RADIUS Auth Server on p.33 of the ScreenOS Concepts & Examples Guide - Vol 9 - Authentication Servers.
   1. Click New
   2. Enter Gateway Name: Sales
   3. Click Dialup User Group, and select R_S from the Group pulldown menu
   4. Click Advanced
   5. Preshared Key: sharedikeid (Do not enable "Use as Seed"; parameter to be used when configuring Group IKE ID with Global Pro/Express)
   6. Outgoing Interface: ethernet0/0 (Choose whatever interface is your outgoing interface to the Internet)
   7. Click Security Level: Select Custom, and select Phase 1 Proposal pre-g2-3des-sha
   8. Click Mode (Initiator): Aggressive
   9. Click Enable NAT-Traversal
   10. Click Return
   11. Click OK
4. Set the XAuth settings: Select  VPNs > AutoKey Advanced > XAuth Settings
   1. Default Authentication Server:  From pull-down, select your XAuth Server.
   2. Click Apply
5. Create the AutoKey IKE.  Select VPNs > AutoKey IKE
   1. Click New
   2. Enter VPN Name: Sales VPN
   3. Select Remote Gateway: Click Predefined, and select Sales from the pulldown menu
   4. Click Advanced and Click Return
   5. Select Security Level: Select Custom, and select Phase 2 Proposal nopfs-esp-3des-sha
   6. Click OK
6. Configure the Policies.  Select Policy > Policies
   1. Select From Untrust to Trust zone, and click New
   2. Enter Source Address:Click Address Book, and select Dial-Up VPN
   3. Enter Destination Address: Click New Address, and enter 172.16.10.0/24
   4. Set Service: ANY
   5. Set Action: Tunnel
   6. Set Tunnel VPN: Sales_VPN
   7. Click OK

CLI:

set user "Remote_Sales" type ike
set user "Remote_Sales" ike-id "salestest@host.example.com" share-limit 25
set user "Remote_Sales" enable

set user-group "R_S" location local
set user-group "R_S" user "Remote_Sales"

set user "Joe" password "password4joe"
set user "Joe" type xauth
set user "Joe" enable
set user "Mike" password "password4mike"
set user "Mike" type xauth
set user "Mike" enable

set ike gateway "Sales" dialup "R_S" aggressive outgoing-interface ethernet0/0 preshare "sharedikeid" proposal "pre-g2-3des-sha"
set ike gateway "Sales" nat-traversal
set ike gateway "Sales" nat-traversal keepalive-frequency 5
set xauth default auth server "Local"
set vpn "Sales VPN" gateway "Sales" no-replay tunnel proposal "nopfs-esp-3des-sha"
unset vpn "Sales VPN" monitor

set address "Trust" "172.16.10.0/24" 172.16.10.0/24
set policy from "Untrust" to "Trust" "Dial-Up VPN" "172.16.10.0/24" "ANY" tunnel vpn "Sales VPN"

 

For information on configuring VPN clients, refer to:

KB17364 - Example configuration of NCP Client

KB22074 - How to configure Shrew Soft VPN client to work with NetScreen Firewalls

 

---

How this works:

During Phase 1 negotiations, the Firewall device first authenticates the VPN client by matching the VPN Tunnel IKE ID and preshared key sent from the client with that configured on the Firewall device. If there is a match, then the Firewall device will use XAuth to authenticate the individual user. A login prompt is sent from the Firewall to the user at the remote site. This occurs between Phase 1 and Phase 2 IKE negotiations. If the remote user successfully logs on with the correct user name and password, Phase 2 negotiations begin.

Now, an administrator can export this same SPD file to all remote users.  Every user will import the same spd file into the VPN Client.  When trying to build a tunnel, they will be required to enter their own XAuth Username and Password.  In this example, when Joe hooks up to the VPN, he will be prompted for a login.  He will enter Joe/password1.  When Mike wants to hook up to the VPN, he will be prompted for a login, and he will enter Mike/password2.

2017-12-07: Article reviewed for accuracy. Added ScreenOS tag in the title. . Article is correct and complete.
2020-03-11: removed references to NS Remote (as its EOS)