Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys in ScreenOS 6.x
This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel.
The pre-shared secret used is netscreen.
The matrix below will show the proposals we will use for this example:
Site |
A |
B |
Untrust IP of Firewall |
1.1.1.1 (eth0/0) |
2.2.2.1 (eth0/0) |
Trust Network |
10.1.1.0/24 |
172.16.10.0/24 |
Phase 1 Proposal |
pre-g2-3des-sha |
pre-g2-3des-sha |
Phase 2 Proposal |
g2-esp-3des-sha |
g2-esp-3des-sha |
Instructions via the WebUI and CLI are provided below.
WebUI - Site A:
-
Click VPNs > AutoKey Advanced > Gateway
-
Click New
- Gateway Name: Site B GW
- Remote Gateway: Click Static, and enter IP address 2.2.2.1
- Click Advanced
- Preshared Key: netscreen
- Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
- Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
- Mode (Initiator): Main
- Click Return
- Click OK
-
Click VPNs > Autokey IKE
-
Click New
- VPN Name: Site B VPN
- Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
- Click Advanced
- Security Level, User Defined: Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
- Click VPN Monitor (recommended)
- Click Optimized (recommended)
- Click Rekey (recommended)
- Click Return
- Click OK (Important)
-
Click Policy > Policies
-
Select From Trust to Untrust Zone, and click New
- Source Address: Click New Address, and enter 10.1.1.0/24
- Destination Address: Click New Address, and enter 172.16.10.0/24
- Service: Any
- Action: Tunnel
- Tunnel: Site B VPN
- Check Modify matching bidirectional VPN policy
- Position at Top: Enabled
- Click Ok
WebUI - Site B:
-
Click VPNs > AutoKey Advanced > Gateway
-
Click New
- Gateway Name: Site A GW
- Remote Gateway: Click Static, and enter IP address 1.1.1.1
- Click Advanced
- Preshared Key: netscreen
- Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
- Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
- Mode (Initiator): Main
- Click Return
- Click OK
-
Click VPNs > Autokey IKE
-
Click New
- VPN Name: Site A VPN
- Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
- Click Advanced
- Security Level, User Defined: Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
- Click VPN Monitor (recommended)
- Click Optimized (recommended)
- Click Rekey (recommended)
- Click Return
- Click OK (Important)
-
Click Policy > Policies
-
Select From Trust to Untrust Zone, and click New
- Source Address: Click New Address, and enter 172.16.10.0/24
- Destination Address: Click New Address, and enter 10.1.1.0/24
- Service: Any
- Action: Tunnel
- Tunnel: Site A VPN
- Check Modify matching bidirectional VPN policy
- Position at Top: Enabled
- Click Ok
CLI - Site A:
-
Set interfaces:
set interface e1/1 zone trust
set interface e1/1 ip 10.1.1.1/24
set interface e1/1 nat
set interface e1/2 zone untrust
set interface e1/2 ip 1.1.1.1/24
-
Create address book entries:
set address Trust "10.1.1.0/24" 10.1.1.0/24
set address Untrust "172.16.10.0/24" 172.16.10.0/24
-
Create a preshared key VPN:
set ike gateway "site B GW" address 2.2.2.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
set vpn "site B VPN" gateway "site B GW" proposal "g2-esp-3des-sha"
set vpn "site B VPN" monitor optimized rekey
-
Create policies:
set policy id 1 top from trust to untrust "10.1.1.0/24" "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 2
set policy id 2 top from untrust to trust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 1
save
CLI - Site B:
-
Set interfaces:
set interface e1/1 zone trust
set interface e1/1 ip 172.16.10.1/24
set interface e1/1 nat
set interface e1/2 zone untrust
set interface e1/2 ip 2.2.2.2/24
-
Create address book entries:
set address trust "172.16.10.0/24" 172.16.10.0/24
set address untrust "10.1.1.0/24" 10.1.1.0/24
-
Create a preshared key VPN:
set ike gateway "site A GW" address 1.1.1.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
set vpn "site A VPN" gateway "site A GW" proposal "g2-esp-3des-sha"
set vpn "site A VPN" monitor optimized rekey
-
Create policies:
set policy id 1 top from trust to untrust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site A VPN" pair-policy 2
set policy id 2 top from untrust to trust "10.1.1.0/24" "172.16.10.0/24" any tunnel vpn "site A VPN" pair-policy 1
save
Configuration Examples in Technical Documentation:
ScreenOS Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks
Chapter 4 -- Site-to-Site Virtual Private Networks
“Policy-Based Site-to-Site VPN, AutoKey IKE” Example
“Policy-Based Site-to-Site VPN, Dynamic Peer Example
“Policy-Based Site-to-Site VPN, Manual Key” Example
“Transparent Mode VPN” Example
Note: You should use only the VPN monitor, optimized and rekey ,when creating a VPN between Juniper devices. This has been known to cause issues between Juniper and non-Juniper devices, as it is proprietary. Refer to the following articles, if you are using VPN monitoring and the VPN is going down:
If you have performed the above steps and need help with troubleshooting, refer to the VPN Configuration & Troubleshooting Guide.
2017-11-29: Article reviewed for accuracy. No changes made. Article is correct and complete.