Configuring the NetScreen Device to Force all Dial-Up VPN Traffic Through the Device Before Going to the Internet (continued)
This article shows how to configure the following:
- Create phase 1 IKE gateway.
- Create phase 2 VPN.
- Create static routes to route the IP pool packets through the tunnel interface.
- Configure a policy to allow traffic from Untrust to Trust.
- Configure a policy to re-route traffic from Trust to Untrust.
To continue configuring the NetScreen device side to force all dial-up VPN traffic through the NetScreen, perform the following steps:

Open the WebUI. For more information on accessing the WebUI, go to
Accessing Your NetScreen Using the WebUI.

From the NetScreen options menu, click
VPNs, select
AutoKey Advanced, and then click
Gateway.


Click
New.


In the
Gateway Name text box, enter a Gateway Name.


From
Security Level, click to select
Compatible.

From
Remote Gateway Type, click to select
Dialup User. In the
User drop-down menu, click to select a User.


From the
Preshared Key text box, enter a preshared key.

The Outgoing Interface should be the outgoing interface that the XAuth users will use.


Click
Advanced.

From
Mode (Initiator), click to select
Aggressive.


Click to select
XAuth Server.

Click
Return.


Click
OK.


From the NetScreen options menu, click
VPNs, and then click
AutoKey IKE.


CIick
New.


From the
VPN Name text box, enter a VPN Name.


From
Security Level, click to select
Compatible.

From
Remote Gateway, click to select
Predefined, and then from the drop-down menu, click to choose a
Remote Gateway.


Click
Advanced.

From
Bind to, click to select
Tunnel Interface. In the
Tunnel Interface drop-down menu, click to select
tunnel.1.


Click to select
Proxy-ID.


From
Proxy-ID, configure the following settings:
- Local IP / Netmask: 0.0.0.0/0
- Remote IP / Netmask: 255.255.255.255/32
- Service: Any

Click
Return.


Click
OK.


From the NetScreen options menu, click
Network, select
Routing, click
Routing Entries.


Click
New.


In the
Network Address / Netmask text box, enter the XAuth pool network IP address.


Click to select
Gateway, and then configure the following settings:
- Interface: tunnel.1
- Gateway IP Address: 0.0.0.0
- Metric: 1
- Tag: 0


Click
OK.

From the NetScreen options menu, click
Policies.


From the Policies page, in the
From drop-down menu, click to select
Untrust, and in the
To drop-down menu, click to select
Trust.


Click
New.

From
Source Address, click to select Address Book, and then in the
Address Book drop-down menu, click to select
Any.


From
Destination Address, click to select
Address Book, and then in the
Address Book drop-down menu, click to choose an IP Address/Netmask.

For this example, we have selected
192.168.1.0/24.

In the
Service drop-down menu, click to select
ANY. In the
Action drop-down menu, click to select
Permit.


Click
OK.


From the NetScreen options menu, click
Policies.


From the Policies page, in the
From drop-down menu, click to select
Trust, and in the
To drop-down menu, click to select
Untrust.


Click
New.

From
Source Address, click to select
New Address, and then in the
New Address text box, enter
11.11.11.0/24.


From
Destination Address, click to select
Address Book, and then in the
Address Book drop-down menu, click to select
Any.

In the
Service drop-down menu, click to select
ANY. In the
Action drop-down menu, click to select
Permit.


Click
Advanced.


From
NAT, click to select
Source Translation.


Click
Return.

Click
OK.


To configure the NetScreen-Remote Dial-Up side, go to
Configuring the NetScreen-Remote to Force All Dial-Up VPN Traffic Through the NetScreen Device Before Going to the Internet.