Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to create route based dial-up VPN using the same IKE ID (ScreenOS 6.0 and later)

0

0

Article ID: KB15272 KB Last Updated: 14 May 2020Version: 5.0
Summary:

This article provides information on how to create multiple dial-up route based VPN (for bi-directional communication), using the same IKE ID.

Symptoms:
Environment:
  • Shared IKE ID.
  • Deploy large number of remote clients.
  • Bi-Directional VPN set-up.
  • Route-based VPN.
Solution:

Example:  Assume two users, Mike and Joe, are trying to access a server on the trusted side of the Juniper Firewall. The Administrator wants to deploy a single VPN Dial-up User configuration and have each user authenticated individually.

Note:  With the following configuration, the VPN connection must start from the Dial-up client. 

 

 

  Client NetScreen
Shared IKE User   Remote_Sales
Shared IKE ID sales@ns.com sales@ns.com
User Group   R_S
XAuth User 1/ Password Joe/netscreen  
XAuth User 2 / Password Mike/support  
Phase 1 Proposals Preshared Secret;Extended Authentication
Triple DES; SHA; Diffie-Hellman Group 2
pre-g2-3des-sha
Phase 2 Proposals Triple DES; SHA-1 nopfs-esp-3des-sha

 
The basic steps in deploying this configuration are as follows:

Note:  A route-based VPN is configured in this article, so that bi-directional communication can be obtained.  For a policy-based VPN, which is the typical Dial Up VPN configuration, refer to KB14883 - How To: Create Multiple Dial Up VPN using same IKE ID (ScreenOS 6.0 and later)

Juniper Firewall Side:

  1. Define an IKE ID User (Without xauth authentication).
  2. Assign the IKE ID User from step 1 to a new Dial Up User Group.
  3. Define separate XAuth Users (with no IKE ID configuration)
  4. Define IKE Phase 1 Gateway and do not select Use as Seed.
  5. Define IKE Phase 2 VPN as usual.
  6. Define policy as usual.

VPN Client Side:

  1. Enter Remote Party Identity and Address, and Secure Gateway Tunnel as normal
  2. Under My Identity, select ID type email address, and enter the IKE ID from step 2 on the NetScreen Side procedure
  3. Click Pre-Shared Key, and enter the preshared key defined from step 4 on the NetScreen Side procedure
  4. Configure Phase 1 for Xauth and Phase 2 to match the configuration on the NetScreen side

WebUI Configuration of Firewall Side:

  1. Click Objects > Users > Local
    1. Click New
      1. Username: Remote_Sales
      2. Enable IKE User (Do not select XAuth User)
      3. Number of Multiple Logins with Same ID: 25 (Choose whatever number of simultaneous users you want logging in under this IKE ID.
      4. Click Simple Identity
      5. IKE ID Type: AUTO
      6. IKE Identity: sales@ns.com (Note: IKE ID must be an e-mail address)
      7. Click OK
    2. Click New
      1. Username: Joe
      2. Click XAuth User (Do not select IKE User)
      3. User Password: password4joe
      4. Confirm Password: password4joe
      5. Click OK
    3. Click New
      1. Username: Mike
      2. Click XAuth User (Do not select IKE User)
      3. User Password: password4mike
      4. Confirm Password: password4mike
      5. Click OK
  2. Click Objects > Users > Local Groups
    1. Click New
      1. Group Name: R_S
      2. Under Available Members, select Remote_Sales, and click << directional button
      3. Click OK
  3. Click Objects > IP Pools (In case you want 254 users)
    1. Click New
      1. IP Pool Name: VPN Pool
      2. Start IP:10.1.1.1
      3. End IP :10.1.1.254
      4. Click OK
  4. Click Network >Interfaces >List
    1. Create a New Tunnel Interface(From Drop Down)
    2. Select the Zone: Untrust (trust-vr) (From Drop Down)
    3. Select the Unnumbered: Interface (Untrust Interface)
    4. Click OK
  5. Click VPNs > AutoKey Advanced > XAuth Settings
    1. Select the IP Pool, VPN Pool from the Drop Down
    2. If you want to add the DNS you can give the IP address here.
    3. Click On Apply
  6. Click VPNs > AutoKey Advanced > Gateway
    1. Click New
      1. Gateway Name: Sales
      2. Click Dialup User Group, and select R_S from the Group pulldown menu
      3. Click Advanced
      4. Preshared Key: sharedikeid  (Do not enable "Use as Seed"; parameter to be used when configuring Group IKE ID with Global Pro/Express)
      5. Outgoing Interface: ethernet0/0 (Choose whatever interface is your outgoing interface to the Internet)
      6. Click Security Level: Select Custom, and select Phase 1 Proposal pre-g2-3des-sha
      7. Click Mode (Initiator): Aggressive
      8. Click Enable NAT-Traversal
      9. Click Return
      10. Click OK

    Note: If you do not have an Authentication Server configured for XAuth, refer to Radius Auth Server example on page 35 of ScreenOS Concepts & Examples Guide - Vol 9 - User Authentication.

  7. Click VPNs > AutoKey Advanced >  Gateway >XAuth Settings
    1. Check on XAuth Sever
    2. Check on Use Default XAuth settings
    3. Click Apply
  8. Click VPNs > AutoKey IKE
    1. Click New
      1. VPN Name: Sales VPN
      2. Remote Gateway: Click Predefined, and select Sales from the pulldown menu
      3. Click Advanced
      4. Security Level: Select Custom, and select Phase 2 Proposal nopfs-esp-3des-sha
      5. Bind to tunnel interface (Tunnel.1)
      6. Select the Proxy ID
      7. Local IP :172.16.10.0/24
      8. Remote IP :255.255.255.255/32
      9. Click OK
  9. Click Policy > Policies
    1. Select From Untrust to Trust zone, and click New
      1. Source Address:Click New Address and Enter 10.1.1.0/24
      2. Destination Address: Click New Address, and enter 172.16.10.0/24
      3. Service: ANY
      4. Action: Permit
      5. Click OK
         
    2. Select From Trust to Untrust zone, and click New
      1. Source Address:Click New Address and Enter 172.16.10.0/24
      2. Destination Address: Click New Address, and enter 10.1.1.0/24
      3. Service: ANY
      4. Action: Permit
      5. Click OK
  10. Click Network >Routing >Destination
    1. Click New
    2. IPv4/Net mask or IPv6/Prefix Length : 10.1.1.0/24
    3. Check Gateway
    4. Select the Interface :Tunnel.1(New tunnel Interface Created)
    5. Click OK

Note: The WebUI might looks slightly different in the later version of ScreenOS.

(Optional) CLI commands for the above configuration:

# Configure a shared IKE user, Remote_Sales with share-limit 25
set user "Remote_Sales" type ike
set user "Remote_Sales" ike-id "sales@ns.com" share-limit 25
set user "Remote_Sales" enable

# Configure a user-group R_S and add the shared IKE user, Remote_Sales in
set user-group "R_S" location local
set user-group "R_S" user "Remote_Sales"

# Configure Joe and Mike as xauth users
set user "Joe" password "password4joe"
set user "Joe" type xauth
set user "Joe" enable
set user "Mike" password "password4mike"
set user "Mike" type xauth
set user "Mike" enable

# Configure an ip-pool
set ippool "VPN Pool" 10.1.1.1 10.1.1.254

# Specify the ip-pool in xauth default configuration
set xauth default auth server "Local"
set xauth default ippool "VPN Pool"

# Configure an outgoing-interface
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet0/0

# Configure phase1 ike gateway
set ike gateway "Sales" dialup "R_S" aggressive outgoing-interface ethernet0/0 preshare "sharedikeid" proposal "pre-g2-3des-sha"
set ike gateway "Sales" nat-traversal
set ike gateway "Sales" xauth

# Configure phase2 vpn
set vpn "Sales VPN" gateway "Sales" no-replay tunnel proposal "nopfs-esp-3des-sha"
unset vpn "Sales VPN" monitor
set vpn "Sales VPN" bind tunnel.1
set vpn "Sales VPN" proxy-id local-ip 172.16.10.0/24 remote-ip 255.255.255.255/32 any

# Configure address objects, policies
set address "Untrust" "10.1.1.0/24" 10.1.1.0/24
set address "Trust" "172.16.10.0/24" 172.16.10.0/24
set policy from "Untrust" to "Trust" "10.1.1.0/24" "172.16.10.0/24" "ANY" permit
set policy from "Trust" to "Untrust" "172.16.10.0/24" "10.1.1.0/24" "ANY" permit

# Configure a route entry to forward untrust IP address to the configured tunnel (which is binded to vpn)
set route 10.1.1.0/24 interface tunnel.1


For information on configuring the IPSec client, refer to:

KB17364 - Example configuration of NCP Client
KB22074 - How to configure Shrew Soft VPN client to work with NetScreen Firewalls
KB17266 - NCP Secure Client - Juniper Edition (IPSec Client) FAQ

If you followed the steps above, and need further help troubleshooting, refer to the VPN Configuration and Troubleshooting Guide.

Modification History:
2020-05-13: Article reviewed for accuracy. Minor changes have been done. Corrected multiple logins with same ID from 250 to 25, as in CLI configuration it is 25.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search