Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I create a Policy Based LAN to LAN VPN using Preshared Keys (ScreenOS 6.0 and later)

0

0

Article ID: KB15074 KB Last Updated: 30 Nov 2017Version: 4.0
Summary:

Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys in ScreenOS 6.x

Symptoms:

Environment:

  • Pre-shared secrets
  • Policy Based VPN
  • Static IP Addresses on both gateways of VPN
Solution:

This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel. 
The pre-shared secret used is netscreen
The matrix below will show the proposals we will use for this example:

network drawing
Site A B
Untrust IP of Firewall 1.1.1.1 (eth0/0) 2.2.2.1 (eth0/0)
Trust Network 10.1.1.0/24 172.16.10.0/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha


Instructions via the WebUI and CLI are provided below.
 

WebUI - Site A:

  1. Click VPNs > AutoKey Advanced > Gateway

  2. Click New

    1. Gateway Name: Site B GW
    2. Remote Gateway: Click Static, and enter IP address 2.2.2.1
    3. Click Advanced
    4. Preshared Key: netscreen
    5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
    6. Security Level, User-defined:  Select Custom, and select Phase 1 Proposal:  pre-g2-3des-sha
    7. Mode (Initiator): Main
    8. Click Return
    9. Click OK
  3. Click VPNs > Autokey IKE

  4. Click New

    1. VPN Name: Site B VPN
    2. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    3. Click Advanced
    4. Security Level, User Defined:  Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
    5. Click VPN Monitor  (recommended)
    6. Click Optimized  (recommended)
    7. Click Rekey  (recommended)
    8. Click Return
    9. Click OK (Important)
  5. Click Policy > Policies

  6. Select From Trust to Untrust Zone, and click New

    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site B VPN
    6. Check Modify matching bidirectional VPN policy
    7. Position at Top: Enabled
    8. Click Ok
       

WebUI - Site B:

  1. Click VPNs > AutoKey Advanced > Gateway

  2. Click New

    1. Gateway Name: Site A GW
    2. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    3. Click Advanced
    4. Preshared Key: netscreen
    5. Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
    6. Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
    7. Mode (Initiator): Main
    8. Click Return
    9. Click OK
  3. Click VPNs > Autokey IKE

  4. Click New

    1. VPN Name: Site A VPN
    2. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    3. Click Advanced
    4. Security Level, User Defined:  Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
    5. Click VPN Monitor  (recommended)
    6. Click Optimized  (recommended)
    7. Click Rekey  (recommended)
    8. Click Return
    9. Click OK (Important)
  5. Click Policy > Policies

  6. Select From Trust to Untrust Zone, and click New

    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site A VPN
    6. Check Modify matching bidirectional VPN policy
    7. Position at Top: Enabled
    8. Click Ok
       

CLI - Site A:

  1. Set interfaces:

    set interface e1/1 zone trust
    set interface e1/1 ip 10.1.1.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 1.1.1.1/24

  2. Create address book entries:

  3. set address Trust "10.1.1.0/24" 10.1.1.0/24
    set address Untrust "172.16.10.0/24" 172.16.10.0/24
  4. Create a preshared key VPN:

  5. set ike gateway "site B GW" address 2.2.2.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site B VPN" gateway "site B GW" proposal "g2-esp-3des-sha"
    set vpn "site B VPN" monitor optimized rekey
  6. Create policies:

  7. set policy id 1 top from trust to untrust "10.1.1.0/24" "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 2
    set policy id 2 top from untrust to trust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 1
    save

     

CLI - Site B:

  1. Set interfaces:

    set interface e1/1 zone trust
    set interface e1/1 ip 172.16.10.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 2.2.2.2/24
  2. Create address book entries:

  3. set address trust "172.16.10.0/24" 172.16.10.0/24
    set address untrust  "10.1.1.0/24" 10.1.1.0/24
  4. Create a preshared key VPN:

  5. set ike gateway "site A GW" address 1.1.1.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site A VPN" gateway "site A GW" proposal "g2-esp-3des-sha"
    set vpn "site A VPN" monitor optimized rekey
  6. Create policies:

  7. set policy id 1 top from trust to untrust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site A VPN" pair-policy 2
    set policy id 2 top from untrust to trust "10.1.1.0/24" "172.16.10.0/24" any tunnel vpn "site A VPN" pair-policy 1
    save

     

Configuration Examples in Technical Documentation:

ScreenOS Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Policy-Based Site-to-Site VPN, AutoKey IKE” Example
“Policy-Based Site-to-Site VPN, Dynamic Peer Example
“Policy-Based Site-to-Site VPN, Manual Key” Example
“Transparent Mode VPN” Example

 


Note: You should use only the VPN monitor, optimized and rekey ,when creating a VPN between Juniper devices. This has been known to cause issues between Juniper and non-Juniper devices, as it is proprietary. Refer to the following articles, if you are using VPN monitoring and the VPN is going down:

If you have performed the above steps and need help with troubleshooting, refer to the VPN Configuration & Troubleshooting Guide.
 

Modification History:
2017-11-29: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search