Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to create a VPN connection between a PC and firewall without an internet connection

0

0

Article ID: KB22833 KB Last Updated: 28 Jun 2018Version: 2.0
Summary:

This article provides information on how to create a VPN connection between a private network and firewall, without an internet connection.

Symptoms:
  • The firewall does not have the untrust zone configured and there is no internet connection.

  • You want to configure the VPN connection between the PC and firewall; without an internet connection, when the PC is in the trust side of the firewall.
Solution:

Configure the route based dial-up VPN on the firewall:

On the Juniper firewall:

  1. Define an IKE ID User (without xauth authentication).

  2. Assign the IKE ID User to a new Dial Up User Group.

  3. Define separate XAuth Users (without IKE ID configuration).

  4. Define IKE Phase 1 Gateway and do not select Use as Seed.

  5. Define IKE Phase 2 VPN.

  6. Define the policy.

On the ScreenOS Remote VPN client:
 
  1. Type the Remote Party Identity, Address, and Secure Gateway Tunnel.

  2. Under My Identity, select the email address ID type and enter the IKE ID (from step 2 in the Juniper firewall procedure).

  3. Click Pre-Shared Key and type the pre-shared key (defined in step 4 in the Juniper firewall procedure).

  4. Configure Phase 1 for Xauth and Phase 2 to match the Juniper firewall configuration.

Configuration on the firewall WebUI:
 
  1. Go to Objects > Users > Local and click New:
     
    1. Username - Remote_Sales
    2. Enable IKE User (do not select XAuth User).
    3. Number of Multiple Logins with Same ID - 250 (choose whatever number of simultaneous users you want logging in under this IKE ID).
    4. Click Simple Identity.
    5. IKE ID Type - AUTO
    6. IKE Identity - sales@ns.com (IKE ID must be an e-mail address).
    7. Click OK.
  2. Click New:

    1. Username - Joe.
    2. Click XAuth User (do not select IKE User).
    3. User Password - password4joe.
    4. Confirm Password - password4joe.
    5. Click OK.
  3. Go to Objects > Users > Local Groups and click New:

    1. Group Name - R_S.
    2. Under Available Members, select Remote_Sales and click the << button.
    3. Click OK.
  4. Go to Objects > IP Pools (if you want 254 users) and click New:

     
    1. IP Pool Name - VPN Pool.
    2. Start IP - 10.1.1.1.
    3. End IP - 10.1.1.254.
    4. Click OK.
  5. Go to Network > Interfaces > List and create a New loopback (select from the drop-down menu):

    1. Select the Zone - Trust(trust-vr) (from the drop-down menu).
    2. Type the static IP - 1.1.1.1/24.
    3. Enable all the services.
    4. Click OK.
  6. Go to Network > Interfaces > List and create a New Tunnel Interface (select from the drop-down menu):

    1. Select the Zone - Trust(trust-vr) (select the drop-down menu).
    2. Select Unnumbered: Loopback (Trust Interface).
    3. Click OK.
  7. Go to VPNs > AutoKey Advanced > XAuth Settings:

    1. Select the IP Pool and VPN Pool from the drop-down menus.
    2. You can add the DNS, if required, by providing the IP address.
    3. Click Apply.
  8. Go to VPNs > AutoKey Advanced > Gateway and click New:

    1. Gateway Name - Sales.
    2. Click Dialup User Group and select R_S from the Group drop-down menu.
    3. Click Advanced:
       
      1. Preshared Key - sharedikeid (do not enable Use as Seed; this is the parameter to be used, when configuring Group IKE ID with Global Pro/Express) .
      2. Outgoing Interface - loopback interface.
      3. Click Security Level, Select Custom and then Phase 1 Proposal (pre-g2-3des-sha).
      4. Click Mode (Initiator) - Aggressive.
      5. Click Enable NAT-Traversal.
      6. Clic Return.
    4. Click OK.
  9. Go to VPNs > AutoKey Advanced > Gateway >XAuth Settings:

    1. Select the XAuth Server checkbox.
    2. Select the Use Default XAuth settings checkbox.
    3. Click Apply.
  10. Go to VPNs > AutoKey IKE and click New:

    1. VPN Name - Sales VPN.
    2. Under Remote Gateway, click Predefined and select Sales from the drop-down menu.
    3. Click Advanced:
      1. Under Security Level, select Custom, and then Phase 2 Proposal (nopfs-esp-3des-sha).
      2. Bind to the tunnel interface (Tunnel.1).
    4. Click OK.
  11. Go to VPNs > AutoKey IKE and click Proxy ID:

    1. Local IP - 192.168.1.0/24.
    2. Remote IP - 255.255.255.255/32.
    3. Service – ANY
    4. Click ‘New
  12. Go to Policy > Policies:

    1. Select from Untrust to Trust zone and click New:
       
      1. Source Address - click New Address and type ANY.
      2. Destination Address - click New Address and type ANY.
      3. Service - ANY.
      4. Action - Permit.
      5. Click OK.
    2. Select from Trust to Untrust zone and click New:
       
      1. Source Address - click New Address and type ANY.
      2. Destination Address - click New Address and type ANY.
      3. Service - ANY.
      4. ActionPermit.
      5. Click OK.
  13. Go to Network > Routing > Destination and click New:

    1. IPv4/Net mask or IPv6/Prefix Length - 10.1.1.0/24.
    2. Select the Gateway checkbox.
    3. Select the Interface - Tunnel.1 (newly created tunnel Interface).
    4. Click OK.

CLI commands for the above configuration:
 
  • Configure a shared IKE user (Remote_Sales) with share-limit 25:
    set user "Remote_Sales" type ike
    set user "Remote_Sales" ike-id "sales@ns.com" share-limit 25
    set user "Remote_Sales" enable

  • Configure a user-group (R_S) and add the shared IKE user (Remote_Sales):

    set user-group "R_S" location local
    set user-group "R_S" user "Remote_Sales"

  • Configure Joe and Mike as xauth users:

     

    set user "Joe" password "password4joe"
    set user "Joe" type xauth
    set user "Joe" enable
    # Configure an ip-pool
    set ippool "VPN Pool" 10.1.1.1 10.1.1.254

  • Specify the IP-pool in the default xauth configuration:
    set xauth default auth server "Local"
    set xauth default ippool "VPN Pool"
    # Configure a loopback interface
    Set interface loopback.1 zone trust
    Set interface loopback.1 ip 1.1.1.1/24

  • Configure an outgoing-interface:

     

    set interface tunnel.1 zone trust
    set interface tunnel.1 ip unnumbered interface loopback.1

  • Configure the phase1 IKE gateway:

     

    set ike gateway "Sales" dialup "R_S" aggressive outgoing-interface loopback.1 preshare "sharedikeid" proposal "pre-g2-3des-sha"
    set ike gateway "Sales" nat-traversal
    set ike gateway "Sales" xauth

  • Configure phase VPN:

     

    set vpn "Sales VPN" gateway "Sales" no-replay tunnel proposal "nopfs-esp-3des-sha"
    unset vpn "Sales VPN" monitor
    set vpn "Sales VPN" bind tunnel.1
    set vpn "Sales VPN" proxy-id local-ip 192.168.1.0/24 remote-ip 255.255.255.255/32 any

  • Configure address objects and policies:

     

    set policy from "Untrust" to "Trust" “ANY” “ANY” "ANY" permit
    set policy from "Trust" to "Untrust" “ANY” “ANY” "ANY" permit

  • Configure a route entry to forward the untrust IP address to the configured tunnel (binded to VPN):

    set route 10.1.1.0/24 interface tunnel.1

     

Modification History:

2018-06-28: Added step 11 in 'Configuration on the firewall WebUI'.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search