Knowledge Search


×
 

[ScreenOS] How do I create a Policy Based LAN to LAN VPN using Preshared Keys (ScreenOS 6.0 and later)

  [KB15074] Show Article Properties


Summary:

Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys in ScreenOS 6.x

Symptoms:

Environment:

  • Pre-shared secrets
  • Policy Based VPN
  • Static IP Addresses on both gateways of VPN
Solution:

This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel. 
The pre-shared secret used is netscreen
The matrix below will show the proposals we will use for this example:

network drawing
Site A B
Untrust IP of Firewall 1.1.1.1 (eth0/0) 2.2.2.1 (eth0/0)
Trust Network 10.1.1.0/24 172.16.10.0/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha


Instructions via the WebUI and CLI are provided below.
 

WebUI - Site A:

  1. Click VPNs > AutoKey Advanced > Gateway

  2. Click New

    1. Gateway Name: Site B GW
    2. Remote Gateway: Click Static, and enter IP address 2.2.2.1
    3. Click Advanced
    4. Preshared Key: netscreen
    5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
    6. Security Level, User-defined:  Select Custom, and select Phase 1 Proposal:  pre-g2-3des-sha
    7. Mode (Initiator): Main
    8. Click Return
    9. Click OK
  3. Click VPNs > Autokey IKE

  4. Click New

    1. VPN Name: Site B VPN
    2. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    3. Click Advanced
    4. Security Level, User Defined:  Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
    5. Click VPN Monitor  (recommended)
    6. Click Optimized  (recommended)
    7. Click Rekey  (recommended)
    8. Click Return
    9. Click OK (Important)
  5. Click Policy > Policies

  6. Select From Trust to Untrust Zone, and click New

    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site B VPN
    6. Check Modify matching bidirectional VPN policy
    7. Position at Top: Enabled
    8. Click Ok
       

WebUI - Site B:

  1. Click VPNs > AutoKey Advanced > Gateway

  2. Click New

    1. Gateway Name: Site A GW
    2. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    3. Click Advanced
    4. Preshared Key: netscreen
    5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
    6. Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
    7. Mode (Initiator): Main
    8. Click Return
    9. Click OK
  3. Click VPNs > Autokey IKE

  4. Click New

    1. VPN Name: Site A VPN
    2. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    3. Click Advanced
    4. Security Level, User Defined:  Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
    5. Click VPN Monitor  (recommended)
    6. Click Optimized  (recommended)
    7. Click Rekey  (recommended)
    8. Click Return
    9. Click OK (Important)
  5. Click Policy > Policies

  6. Select From Trust to Untrust Zone, and click New

    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site A VPN
    6. Check Modify matching bidirectional VPN policy
    7. Position at Top: Enabled
    8. Click Ok
       

CLI - Site A:

  1. Set interfaces:

    set interface e1/1 zone trust
    set interface e1/1 ip 10.1.1.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 1.1.1.1/24

  2. Create address book entries:

  3. set address Trust "10.1.1.0/24" 10.1.1.0/24
    set address Untrust "172.16.10.0/24" 172.16.10.0/24
  4. Create a preshared key VPN:

  5. set ike gateway "site B GW" address 2.2.2.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site B VPN" gateway "site B GW" proposal "g2-esp-3des-sha"
    set vpn "site B VPN" monitor optimized rekey
  6. Create policies:

  7. set policy id 1 top from trust to untrust "10.1.1.0/24" "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 2
    set policy id 2 top from untrust to trust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 1
    save

     

CLI - Site B:

  1. Set interfaces:

    set interface e1/1 zone trust
    set interface e1/1 ip 172.16.10.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 2.2.2.2/24
  2. Create address book entries:

  3. set address trust "172.16.10.0/24" 172.16.10.0/24
    set address untrust  "10.1.1.0/24" 10.1.1.0/24
  4. Create a preshared key VPN:

  5. set ike gateway "site A GW" address 1.1.1.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site A VPN" gateway "site A GW" proposal "g2-esp-3des-sha"
    set vpn "site A VPN" monitor optimized rekey
  6. Create policies:

  7. set policy id 1 top from trust to untrust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site A VPN" pair-policy 2
    set policy id 2 top from untrust to trust "10.1.1.0/24" "172.16.10.0/24" any tunnel vpn "site A VPN" pair-policy 1
    save

     

Configuration Examples in Technical Documentation:

ScreenOS Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Policy-Based Site-to-Site VPN, AutoKey IKE” Example
“Policy-Based Site-to-Site VPN, Dynamic Peer Example
“Policy-Based Site-to-Site VPN, Manual Key” Example
“Transparent Mode VPN” Example

 


Note: You should use only the VPN monitor, optimized and rekey ,when creating a VPN between Juniper devices. This has been known to cause issues between Juniper and non-Juniper devices, as it is proprietary. Refer to the following articles, if you are using VPN monitoring and the VPN is going down:

If you have performed the above steps and need help with troubleshooting, refer to the VPN Configuration & Troubleshooting Guide.
 

Modification History:
2017-11-29: Article reviewed for accuracy. No changes made. Article is correct and complete.
Related Links: