Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring Your Juniper Firewall Site A for a Route Based LAN to LAN VPN when both sides have static IPs by using pre-shared keys

0

0

Article ID: KB4142 KB Last Updated: 04 Dec 2012Version: 8.0
Summary:
This article provides information on how to configure a Juniper firewall Site A for a route based LAN to LAN VPN, when both sides have static IPs, by using pre-shared keys.
Symptoms:
How to configure a Juniper firewall Site A for a route based LAN to LAN VPN, when both sides have static IPs, by using pre-shared keys.
Cause:

Solution:

To configure your Juniper Firewall Site A for a Route Based LAN to LAN VPN when both sides have static IPs using Pre-shared Keys, perform the following steps:

Step one: Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI

Step two: From the Juniper firewall menu, click Network, and then click Interfaces.

Image of step two

Step three: Click New.

Image of step three

Step four: From the Tunnel Interface Name text box, enter a tunnel name.

Note: For this example, we have entered 1.

Image of step four and five

Step five: From the Zone drop-down menu, click to choose a Zone.

Note: For this example, we have selected Untrust (trust-vr).

Step six: Click to select Unnumbered. From the Interface drop-down menu, click to choose an Interface.

Note: For this example, we have selected ethernet (trust-vr).

Image of step six and seven

Step seven: Click OK.

Step eight: From the Juniper firewall menu, click VPNs, select AutoKey Advanced, and then click Gateway.

Image of step eight

Step nine: Click New.

Image of step nine

Step ten: From the Gateway Name text box, enter a Gateway Name.

Note: For this example, we have entered Site B GW.

Image of step ten and eleven

Step eleven: From Security Level, click to select Custom.

Step twelve: From Remote Gateway Type, click to select Static IP Address, and enter an IP Address/Hostname.

Note: For this example, we have entered 2.2.2.1.

Image of step twelve

Step thirteen: From the Preshared Key text box, enter a Preshared Key.

Warning: The pre-shared keys on Juniper firewall device A and Juniper firewall device B must be identical.

Image of step thirteen and fourteen

Step fourteen: From the Outgoing Interface drop-down menu, click to choose an Outgoing Interface. Click Advanced.

Note: For this example, we have selected ethernet3.

Step fifteen: From the Phase 1 Proposal drop-down menu, click to choose a Phase 1 Proposal.

Note: For this example, we have selected pre-g2-3des-sha.

Image of step fifteen and sixteen

Step sixteen: Click to select Mode (Initiator). Click Return.

Step seventeen: Click OK.

Image of step seventeen

Step eighteen: From the Juniper firewall options menu, click VPNs, and then click AutoKey IKE.

Image of step eighteen

Step nineteen: Click New.

Image of step nineteen

Step twenty: From the VPN Name text box, enter a VPN Name. From Security Level, click to select Custom.

Note: For this example, we have entered Site B VPN.

Image of step twenty and twenty-one

Step twenty-one: From Remote Gateway, click to select Predefined. From the Remote Gateway drop-down menu, click to select Site B GW.

Step twenty-two: Click Advanced.

Image of step twenty-two

Step twenty-three: From the Phase 2 Proposal drop-down menu, click to choose a Phase 2 Proposal.

Note: For this example, we have selected g2-esp-3des-sha.

Image of step twenty-three and twenty-four

Step twenty-four: From Bind to, click to select Tunnel Interface. From the Tunnel Interface drop-down menu, click to select tunnel.1.

Step twenty-five: Click to select Proxy-lD. In the Local IP/Netmask text box, enter a Local IP/Netmask, and then in the Remote IP/Netmask text box, enter a Remote IP/Netmask.

Note: For this example, we have entered 10.1.1.0/24 for our Local IP/Netmask and 172.16.10.0/24 for the Remote IP/Netmask.

Image of step twenty-five and twenty-six

Step twenty-six: From the Service drop-down menu, click to select ANY. Click Return.

Step twenty-seven: Click OK.

Image of step twenty-seven

Step twenty-eight: From the Juniper firewall menu, click Policies.

Image of step twenty-eight

Step twenty-nine: In the From drop-down menu, click to select Trust. From the To drop-down menu, click to select Untrust.

Image of step twenty-nine and thirty

Step thirty: Click New.

Step thirty-one: From Source Address, click to select New Address, and enter a New Address.

Note: For this example, we have entered 10.1.1.0/24.

Image of step thirty-one and thirty-two

Step thirty-two: From Destination Address, click to select New Address, and enter a New Address.

Note: For this example, we have entered 172.16.10.0/24.

Step thirty-three: In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.

Image of step thirty-three

Step thirty-four: Click to select Position at Top.

Image of step thirty-four

Step thirty-five: Click OK.

Image of step thirty-five

Step thirty-six: From the Juniper firewall menu, click Policies.

Image of step thirty-six

Step thirty-seven: In the From drop-down menu, click to select Untrust. From the To drop-down menu, click to select Trust.

Image of step thirty-seven and thirty-eight

Step thirty-eight: Click New.

Step thirty-nine: From Source Address, click to select New Address, and then enter a New Address.

Note:For this example, we have entered 172.16.10.0/24.

Image of step thirty-nine and forty

Step forty: From Destination Address, click to select New Address, and then enter a New Address.

Note: For this example, we have entered 10.1.1.0/24.

Step forty-one:In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.

Image of step forty-one

Step forty-two:Click to select Position at Top.

Image of step forty-two

Step forty-three:Click OK.

Image of step forty-three

Step forty-four:From the Juniper firewall menu, click Network, select Routing, and then, for 5.2 and below, click Routing Table;  for 5.3 and above, click Destination.

Image of step forty-three

Step forty-five:Click New.

Image of step forty-four

Step forty-six:From Virtual Router Name, in the Network Address/Netmask text boxes, enter a Network Address/Netmask.

Note: For this example, we have entered 172.16.10.0/255.255.255.0.

Image of step forty-five and forty-six

Step forty-seven:Click to select Gateway. From the Interface drop-down menu, click to select tunnel.1.

Step forty-eight:Click OK.

Image of step forty-eight

To configure the  Route based Site to Site VPN via the CLI, you need to configure the following:

Creating the Gateway:

set ike gateway "Site B GW" address 2.2.2.1 Main outgoing-interface "ethernet2/4" preshare "3U3SaGSzNyJsLCsZdvCn0/34kLnby3ac/Q==" proposal "pre-g2-3des-sha"

Creating the AutoKey IKE:

set vpn "Site B VPN" gateway "Site B GW" no-replay tunnel idletime 0 proposal "g2-esp-des-sha"
set vpn "Site B VPN" id 0x1 bind interface tunnel.1
set vpn "Site B VPN" proxy-id local-ip 10.1.1.0/24 remote-ip 172.16.10.0/24 "ANY"

Creating a tunnel route:

set route 172.16.10.0/24 int tunnel.1

Creating The Policies:

set policy id 2 from "Untrust" to "Trust" "172.16.10.0/24" "10.1.1.0/24" "ANY" permit
set policy id 1 from "Trust" to "Untrust" "10.1.1.0/24" "172.16.10.0/24" "ANY" permit

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search