Knowledge Search


×
 

Configuring the NetScreen-Remote to Force all Dial-Up VPN Traffic Through the NetScreen Device Before Going to the Internet

  [KB4397] Show Article Properties


Summary:
Configuring the NetScreen-Remote to Force all Dial-Up VPN Traffic Through the NetScreen Device Before Going to the Internet
Symptoms:

Solution:

Note: This article applies to ScreenOS 4.0 and higher.

To configure the NetScreen-Remote side to force all dial-up VPN traffic through the NetScreen before going out to the Internet, perform the following steps:

Step one: From the Start menu, click Programs, select NetScreen-Remote, and then click Security Policy Editor.

Image of step one


Step two: From the Security Policy Editor dialog box, click the 'Add a new connection' icon.

Image of step two


Step three: Enter a name for your new connection.

Image of step three


Image of step four


Step five: In the Subnet and Mask text boxes, enter 0.0.0.0.

Image of step five


Step six: Click to select Connect using, and then in the drop-down menu, click to select Secure Gateway Tunnel.

Image of step six and seven

Step seven: From the ID Type drop-down menu, click to select IP Address, and then enter the untrusted IP Address of the NetScreen.

Note:For this example, we have entered 10.100.31.130 for the untrusted IP address of the NetScreen.

Step eight: To expand the connection, click the +.

Image of step eight


Click to select Security Policy, and then from Phase 1 Negotiation Mode, click to select Aggressive Mode.

Image of step nine


To expand Security Policy, click the +.

Image of step ten


To expand Authentication (Phase 1), click the +.

Image of step eleven and twelve

Click to select Proposal 1.

In the Authentication Method drop-down menu, click to select Pre-Shared Key; Extended Authentication.

Image of step thirteen and fourteen

In the Encrypt Alg drop-down menu, click to select Triple DES. In the Hash Alg drop-down menu, click to select SHA-1. In the SA Life drop-down menu, click to select Seconds, and then enter 28800. In the Key Group drop-down menu, click to select Diffie-Hellman Group 2.

To expand the Key Exchange (Phase 2), click the +.

Image of step fifteen and sixteen

Click to select Proposal 1.

From IPSec Protocols, in the SA Life drop-down menu, click to select Seconds, and then enter 3360.

Image of step seventeen and eighteen

In the Encrypt Alg drop-down menu, click to select Triple DES. In the Hash Alg drop-down menu, click to select SHA-1. In the Encapsulation drop-down menu, click to select Tunnel.


Step nineteen: From Network Security Policy, click to select My Identity, and then in the Select Certificate drop-down menu, click to select None.


Image of step nineteen


From My Identity, click Pre-Shared Key.

Image of step twenty


From the Pre-Shared Key dialog box, click Enter Key. In the Enter Pre-Shared Key text box, enter the pre-shared Key.The Pre-Shared Key will need to match the one configured on the NetScreen device for this connection.

Image of step twenty-one and twenty-two

Click OK.

Step twenty-three: From My Identity, in the ID Type drop-down menu, click to select E-mail Address.

Image of step twenty-three and twenty-four

Step twenty-four: Enter the email address corresponding to the ID. This is the IKE user's simple identity and not their username. From the Virtual Adapter drop-down menu, click to select Preferred.

Note: For this example, we have used xauth@netscreen.com.

Step twenty-five:From the File drop-down menu, click Save Changes.

Image of step twenty-five

note The remote user is now configured for dial-up VPN connections to resources behind the NetScreen, and will be forced through the NetScreen out to the Internet.

Related Links: