Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring a Policy-Based LAN-to-LAN VPN When Both Sides Have Static IPs Using Pre-shared Keys

0

0

Article ID: KB4757 KB Last Updated: 24 Jul 2019Version: 8.0
Summary:
This article provides information on how to configure a policy-based VPN, when both sides have Static IPs, by using pre-shared keys.
Symptoms:
How to configure a policy-based VPN, when both sides have Static IPs, by using pre-shared keys.
Solution:
The settings and proposals that are used to configure the VPN are as follows:

Image of example

Juniper Firewall Site A

  • Untrust IP of device 1.1.1.1

  • Trust Network 192.168.1.0/24

  • Phase 1 Proposal pre-g2-des-sha

  • Phase 2 Proposal nopfs-esp-des-sha

Juniper Firewall Site B

  • Untrust IP of device 2.2.2.1

  • Trust Network 10.1.1.0/24

  • Phase 1 Proposal pre-g2-des-sha

  • Phase 2 Proposal nopfs-esp-des-sha

 
To configure a policy-based LAN-to-LAN VPN when both sides have static IPs using pre-shared keys, perform the following steps:

  1. Configure a gateway for the local site. For more information on configuring a gateway for the local site, go to KB4128 - Configuring an IPSec Security Gateway for the Local Site.

  2. Configure a phase 2 proposal for the local site. For more information on configuring a phase 2 proposal for the local site, go to KB4129 - Configuring a Phase 2 Proposal for the Local Site.

  3. Configure a policy for the local site. For more information on configuring a policy for the local site, go to KB4130 - Configuring a Policy for the Local Site.

  4. Configure a gateway for the remote site (opposite end of the tunnel from the local site). For more information on configuring a gateway for the remote site, go to KB4131 - Configuring a Gateway for the Remote Site.

  5. Configure a phase 2 proposal for the remote site. For more information on configuring a phase 2 proposal for the remote site, go to KB4132 - Configuring a Phase 2 Proposal for the Remote Site.

  6. Configure a policy for the remote site. For more information on configuring a policy for the remote site, go to KB4133 - Configuring a Policy for the Remote Site.

CLI configuration:

CLI - Site A:
  1. Setting the interface IPs:
    set interface e1/1 zone trust
    set interface e1/1 ip 192.168.1.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 1.1.1.1/24
  2. Creating address book entries:
    set address Trust "192.168.1.1/24" 192.168.1.1/24
    set address Untrust "10.1.1.1/24" 10.1.1.1/24
  3. Creating as IKE gateway and VPN:
    set ike gateway "Netscreen Site A" address 2.2.2.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site B VPN" gateway "Netscreen Site" proposal "g2-esp-3des-sha"
    set ike gateway "Netscreen Site A" heartbeat reconnect 5
  4. Configuring the policies:
    set policy id 1 top from trust to untrust "192.168.1.1/24" "10.1.1.1/24" any tunnel vpn "site B VPN" pair-policy 2
    set policy id 2 top from untrust to trust "10.1.1.1/24" "192.168.1.1/24" any tunnel vpn "site B VPN" pair-policy 1
    save

CLI - Site B:
  1. Setting the Interface IPs:
    set interface e1/1 zone trust
    set interface e1/1 ip 10.1.1.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 2.2.2.2/24
  2. Creating address book entries:
    set address Trust "192.168.1.1/24" 192.168.1.1/24
    set address Untrust "10.1.1.1/24" 10.1.1.1/24
  3. Creating an IKE gateway and VPN:
    set ike gateway "Netscreen Site B" address 1.1.1.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site A VPN" gateway "Netscreen Site B" proposal "g2-esp-3des-sha"
    set ike gateway "Netscreen Site B" heartbeat reconnect 5
  4. Configuring the policies:
    set policy id 1 top from trust to untrust "10.1.1.1/24" "192.168.1.1/24" any tunnel vpn "site A VPN" pair-policy 2
    set policy id 2 top from untrust to trust "192.168.1.1/24" "10.1.1.1/24" any tunnel vpn "site A VPN" pair-policy 1
    save
Modification History:
2019-06-15: Updated CLI command section - creating an IKE Gateway and VPN

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search