Knowledge Search


×
 

Configuring the NetScreen Device to Force all Dial-Up VPN Traffic Through the Device Before Going to the Internet (continued)

  [KB4398] Show Article Properties


Summary:
Configuring the NetScreen Device to Force all Dial-Up VPN Traffic Through the Device Before Going to the Internet (continued)
Symptoms:

Solution:

This article shows how to configure the following:

  • Create phase 1 IKE gateway.
  • Create phase 2 VPN.
  • Create static routes to route the IP pool packets through the tunnel interface.
  • Configure a policy to allow traffic from Untrust to Trust.
  • Configure a policy to re-route traffic from Trust to Untrust.

 

To continue configuring the NetScreen device side to force all dial-up VPN traffic through the NetScreen, perform the following steps:

Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Using the WebUI.

From the NetScreen options menu, click VPNs, select AutoKey Advanced, and then click Gateway.

Image of step two


Click New.

Image of step three


In the Gateway Name text box, enter a Gateway Name.

Image of step four and five

From Security Level, click to select Compatible.

From Remote Gateway Type, click to select Dialup User. In the User drop-down menu, click to select a User.

Image of step six

From the Preshared Key text box, enter a preshared key.

note The Outgoing Interface should be the outgoing interface that the XAuth users will use.

Image of step seven and eight

Click Advanced.

From Mode (Initiator), click to select Aggressive.

Image of step nine and ten

Click to select XAuth Server.

Click Return.

Image of step eleven


Click OK.

Image of step twelve


From the NetScreen options menu, click VPNs, and then click AutoKey IKE.

Image of step thirteen


CIick New.

Image of step fourteen


From the VPN Name text box, enter a VPN Name.

Image of step fifteen and sixteen

From Security Level, click to select Compatible.

From Remote Gateway, click to select Predefined, and then from the drop-down menu, click to choose a Remote Gateway.

Image of step seventeen and eighteen

Click Advanced.

From Bind to, click to select Tunnel Interface. In the Tunnel Interface drop-down menu, click to select tunnel.1.

Image of step nineteen


Click to select Proxy-ID.

Image of step twenty and twenty-one

From Proxy-ID, configure the following settings:
  • Local IP / Netmask: 0.0.0.0/0
  • Remote IP / Netmask: 255.255.255.255/32
  • Service: Any

Click Return.

Image of step twenty-two


Click OK.

Image of step twenty-three


From the NetScreen options menu, click Network, select Routing, click Routing Entries.

Image of step twenty-four


Click New.

Image of step twenty-five


In the Network Address / Netmask text box, enter the XAuth pool network IP address.

Image of step twenty-six


Click to select Gateway, and then configure the following settings:
  • Interface: tunnel.1
  • Gateway IP Address: 0.0.0.0
  • Metric: 1
  • Tag: 0

Image of step twenty-seven and twenty-eight

Click OK.

From the NetScreen options menu, click Policies.

Image of step twenty-nine


From the Policies page, in the From drop-down menu, click to select Untrust, and in the To drop-down menu, click to select Trust.

Image of step thirty and thirty-one

Click New.

From Source Address, click to select Address Book, and then in the Address Book drop-down menu, click to select Any.

Image of step thirty-two and thirty-three

From Destination Address, click to select Address Book, and then in the Address Book drop-down menu, click to choose an IP Address/Netmask.

noteFor this example, we have selected 192.168.1.0/24.

In the Service drop-down menu, click to select ANY. In the Action drop-down menu, click to select Permit.

Image of step thirty-four


Click OK.

Image of step thirty-five


From the NetScreen options menu, click Policies.

Image of step thirty-six


From the Policies page, in the From drop-down menu, click to select Trust, and in the To drop-down menu, click to select Untrust.

Image of step thirty-seven and thirty-eight

Click New.

From Source Address, click to select New Address, and then in the New Address text box, enter 11.11.11.0/24.

Image of step thirty-nine and forty

From Destination Address, click to select Address Book, and then in the Address Book drop-down menu, click to select Any.

In the Service drop-down menu, click to select ANY. In the Action drop-down menu, click to select Permit.

Image of step forty-one


Click Advanced.

Image of step forty-two


From NAT, click to select Source Translation.

Image of step forty-three and forty-four

Click Return.

Click OK.

Image of step forty-five


To configure the NetScreen-Remote Dial-Up side, go to Configuring the NetScreen-Remote to Force All Dial-Up VPN Traffic Through the NetScreen Device Before Going to the Internet.

Related Links: