Configuring the NetScreen Device to Force all Dial-Up VPN Traffic Through the Device Before Going to the Internet (continued)

This article shows how to configure the following:

• Create phase 1 IKE gateway.
• Create phase 2 VPN.
• Create static routes to route the IP pool packets through the tunnel interface.
• Configure a policy to allow traffic from Untrust to Trust.
• Configure a policy to re-route traffic from Trust to Untrust.

 

To continue configuring the NetScreen device side to force all dial-up VPN traffic through the NetScreen, perform the following steps:

Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Using the WebUI.

From the NetScreen options menu, click VPNs, select AutoKey Advanced, and then click Gateway.

Click New.

In the Gateway Name text box, enter a Gateway Name.

From Security Level, click to select Compatible.

From Remote Gateway Type, click to select Dialup User. In the User drop-down menu, click to select a User.

From the Preshared Key text box, enter a preshared key.

The Outgoing Interface should be the outgoing interface that the XAuth users will use.

Click Advanced.

From Mode (Initiator), click to select Aggressive.

Click to select XAuth Server.

Click Return.

Click OK.

From the NetScreen options menu, click VPNs, and then click AutoKey IKE.

CIick New.

From the VPN Name text box, enter a VPN Name.

From Security Level, click to select Compatible.

From Remote Gateway, click to select Predefined, and then from the drop-down menu, click to choose a Remote Gateway.

Click Advanced.

From Bind to, click to select Tunnel Interface. In the Tunnel Interface drop-down menu, click to select tunnel.1.

Click to select Proxy-ID.

From Proxy-ID, configure the following settings:

• Local IP / Netmask: 0.0.0.0/0
• Remote IP / Netmask: 255.255.255.255/32
• Service: Any

Click Return.

Click OK.

From the NetScreen options menu, click Network, select Routing, click Routing Entries.

Click New.

In the Network Address / Netmask text box, enter the XAuth pool network IP address.

Click to select Gateway, and then configure the following settings:

• Interface: tunnel.1
• Gateway IP Address: 0.0.0.0
• Metric: 1
• Tag: 0

Click OK.

From the NetScreen options menu, click Policies.

From the Policies page, in the From drop-down menu, click to select Untrust, and in the To drop-down menu, click to select Trust.

Click New.

From Source Address, click to select Address Book, and then in the Address Book drop-down menu, click to select Any.

From Destination Address, click to select Address Book, and then in the Address Book drop-down menu, click to choose an IP Address/Netmask.

For this example, we have selected 192.168.1.0/24.

In the Service drop-down menu, click to select ANY. In the Action drop-down menu, click to select Permit.

Click OK.

From the NetScreen options menu, click Policies.

From the Policies page, in the From drop-down menu, click to select Trust, and in the To drop-down menu, click to select Untrust.

Click New.

From Source Address, click to select New Address, and then in the New Address text box, enter 11.11.11.0/24.

From Destination Address, click to select Address Book, and then in the Address Book drop-down menu, click to select Any.

In the Service drop-down menu, click to select ANY. In the Action drop-down menu, click to select Permit.

Click Advanced.

From NAT, click to select Source Translation.

Click Return.

Click OK.

To configure the NetScreen-Remote Dial-Up side, go to Configuring the NetScreen-Remote to Force All Dial-Up VPN Traffic Through the NetScreen Device Before Going to the Internet.