Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys in ScreenOS 6.x

Environment:

• Pre-shared secrets
• Policy Based VPN
• Static IP Addresses on both gateways of VPN

This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel. 
The pre-shared secret used is netscreen. 
The matrix below will show the proposals we will use for this example:

Site	A	B
Untrust IP of Firewall	1.1.1.1 (eth0/0)	2.2.2.1 (eth0/0)
Trust Network	10.1.1.0/24	172.16.10.0/24
Phase 1 Proposal	pre-g2-3des-sha	pre-g2-3des-sha
Phase 2 Proposal	g2-esp-3des-sha	g2-esp-3des-sha

Instructions via the WebUI and CLI are provided below.
 

WebUI - Site A:

1. Click VPNs > AutoKey Advanced > Gateway

2. Click New

   1. Gateway Name: Site B GW
   2. Remote Gateway: Click Static, and enter IP address 2.2.2.1
   3. Click Advanced
   4. Preshared Key: netscreen
   5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
   6. Security Level, User-defined:  Select Custom, and select Phase 1 Proposal:  pre-g2-3des-sha
   7. Mode (Initiator): Main
   8. Click Return
   9. Click OK

3. Click VPNs > Autokey IKE

4. Click New

   1. VPN Name: Site B VPN
   2. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
   3. Click Advanced
   4. Security Level, User Defined:  Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
   5. Click VPN Monitor  (recommended)
   6. Click Optimized  (recommended)
   7. Click Rekey  (recommended)
   8. Click Return
   9. Click OK (Important)

5. Click Policy > Policies

6. Select From Trust to Untrust Zone, and click New

   1. Source Address: Click New Address, and enter 10.1.1.0/24
   2. Destination Address: Click New Address, and enter 172.16.10.0/24
   3. Service: Any
   4. Action: Tunnel
   5. Tunnel: Site B VPN
   6. Check Modify matching bidirectional VPN policy
   7. Position at Top: Enabled
   8. Click Ok
       

WebUI - Site B:

1. Click VPNs > AutoKey Advanced > Gateway

2. Click New

   1. Gateway Name: Site A GW
   2. Remote Gateway: Click Static, and enter IP address 1.1.1.1
   3. Click Advanced
   4. Preshared Key: netscreen
   5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
   6. Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
   7. Mode (Initiator): Main
   8. Click Return
   9. Click OK

3. Click VPNs > Autokey IKE

4. Click New

   1. VPN Name: Site A VPN
   2. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
   3. Click Advanced
   4. Security Level, User Defined:  Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
   5. Click VPN Monitor  (recommended)
   6. Click Optimized  (recommended)
   7. Click Rekey  (recommended)
   8. Click Return
   9. Click OK (Important)

5. Click Policy > Policies

6. Select From Trust to Untrust Zone, and click New

   1. Source Address: Click New Address, and enter 172.16.10.0/24
   2. Destination Address: Click New Address, and enter 10.1.1.0/24
   3. Service: Any
   4. Action: Tunnel
   5. Tunnel: Site A VPN
   6. Check Modify matching bidirectional VPN policy
   7. Position at Top: Enabled
   8. Click Ok
       

CLI - Site A:

1. Set interfaces:

   set interface e1/1 zone trust
set interface e1/1 ip 10.1.1.1/24
set interface e1/1 nat
set interface e1/2 zone untrust
set interface e1/2 ip 1.1.1.1/24



2. Create address book entries:

3. set address Trust "10.1.1.0/24" 10.1.1.0/24
set address Untrust "172.16.10.0/24" 172.16.10.0/24

4. Create a preshared key VPN:

5. set ike gateway "site B GW" address 2.2.2.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
set vpn "site B VPN" gateway "site B GW" proposal "g2-esp-3des-sha"
set vpn "site B VPN" monitor optimized rekey

6. Create policies:

7. set policy id 1 top from trust to untrust "10.1.1.0/24" "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 2
set policy id 2 top from untrust to trust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 1
save
    

CLI - Site B:

1. Set interfaces:

   set interface e1/1 zone trust
set interface e1/1 ip 172.16.10.1/24
set interface e1/1 nat
set interface e1/2 zone untrust
set interface e1/2 ip 2.2.2.2/24

2. Create address book entries:

3. set address trust "172.16.10.0/24" 172.16.10.0/24
set address untrust  "10.1.1.0/24" 10.1.1.0/24

4. Create a preshared key VPN:

5. set ike gateway "site A GW" address 1.1.1.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
set vpn "site A VPN" gateway "site A GW" proposal "g2-esp-3des-sha"
set vpn "site A VPN" monitor optimized rekey

6. Create policies:

7. set policy id 1 top from trust to untrust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site A VPN" pair-policy 2
set policy id 2 top from untrust to trust "10.1.1.0/24" "172.16.10.0/24" any tunnel vpn "site A VPN" pair-policy 1
save
    

Configuration Examples in Technical Documentation:

Note: You should use only the VPN monitor, optimized and rekey ,when creating a VPN between Juniper devices. This has been known to cause issues between Juniper and non-Juniper devices, as it is proprietary. Refer to the following articles, if you are using VPN monitoring and the VPN is going down:

• KB11131 - [ScreenOS] How to troubleshoot a VPN monitoring issue - SA status is A/D (active/down)
• KB8530 - How to use VPN Monitoring with a non-ScreenOS device at the remote-end of a VPN tunnel.

If you have performed the above steps and need help with troubleshooting, refer to the VPN Configuration & Troubleshooting Guide.