Knowledge Search


×
 

[ScreenOS] Configuring a Policy-Based LAN-to-LAN VPN When Both Sides Have Static IPs Using Pre-shared Keys

  [KB4757] Show Article Properties


Summary:
This article provides information on how to configure a policy-based VPN, when both sides have Static IPs, by using pre-shared keys.
Symptoms:
How to configure a policy-based VPN, when both sides have Static IPs, by using pre-shared keys.
Solution:
The settings and proposals that are used to configure the VPN are as follows:

Image of example

Juniper Firewall Site A

  • Untrust IP of device 1.1.1.1

  • Trust Network 192.168.1.0/24

  • Phase 1 Proposal pre-g2-des-sha

  • Phase 2 Proposal nopfs-esp-des-sha

Juniper Firewall Site B

  • Untrust IP of device 2.2.2.1

  • Trust Network 10.1.1.0/24

  • Phase 1 Proposal pre-g2-des-sha

  • Phase 2 Proposal nopfs-esp-des-sha

 
To configure a policy-based LAN-to-LAN VPN when both sides have static IPs using pre-shared keys, perform the following steps:

  1. Configure a gateway for the local site. For more information on configuring a gateway for the local site, go to KB4128 - Configuring an IPSec Security Gateway for the Local Site.

  2. Configure a phase 2 proposal for the local site. For more information on configuring a phase 2 proposal for the local site, go to KB4129 - Configuring a Phase 2 Proposal for the Local Site.

  3. Configure a policy for the local site. For more information on configuring a policy for the local site, go to KB4130 - Configuring a Policy for the Local Site.

  4. Configure a gateway for the remote site (opposite end of the tunnel from the local site). For more information on configuring a gateway for the remote site, go to KB4131 - Configuring a Gateway for the Remote Site.

  5. Configure a phase 2 proposal for the remote site. For more information on configuring a phase 2 proposal for the remote site, go to KB4132 - Configuring a Phase 2 Proposal for the Remote Site.

  6. Configure a policy for the remote site. For more information on configuring a policy for the remote site, go to KB4133 - Configuring a Policy for the Remote Site.

CLI configuration:

CLI - Site A:
  1. Setting the interface IPs:
    set interface e1/1 zone trust
    set interface e1/1 ip 192.168.1.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 1.1.1.1/24
  2. Creating address book entries:
    set address Trust "192.168.1.1/24" 192.168.1.1/24
    set address Untrust "10.1.1.1/24" 10.1.1.1/24
  3. Creating as IKE gateway and VPN:
    set ike gateway "Netscreen Site A" address 2.2.2.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site B VPN" gateway "Netscreen Site" proposal "g2-esp-3des-sha"
    set ike gateway "Netscreen Site A" heartbeat reconnect 5
  4. Configuring the policies:
    set policy id 1 top from trust to untrust "192.168.1.1/24" "10.1.1.1/24" any tunnel vpn "site B VPN" pair-policy 2
    set policy id 2 top from untrust to trust "10.1.1.1/24" "192.168.1.1/24" any tunnel vpn "site B VPN" pair-policy 1
    save

CLI - Site B:
  1. Setting the Interface IPs:
    set interface e1/1 zone trust
    set interface e1/1 ip 10.1.1.1/24
    set interface e1/1 nat
    set interface e1/2 zone untrust
    set interface e1/2 ip 2.2.2.2/24
  2. Creating address book entries:
    set address Trust "192.168.1.1/24" 192.168.1.1/24
    set address Untrust "10.1.1.1/24" 10.1.1.1/24
  3. Creating an IKE gateway and VPN:
    set ike gateway "Netscreen Site B" address 1.1.1.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
    set vpn "site A VPN" gateway "Netscreen Site B" proposal "g2-esp-3des-sha"
    set ike gateway "Netscreen Site B" heartbeat reconnect 5
  4. Configuring the policies:
    set policy id 1 top from trust to untrust "10.1.1.1/24" "192.168.1.1/24" any tunnel vpn "site A VPN" pair-policy 2
    set policy id 2 top from untrust to trust "192.168.1.1/24" "10.1.1.1/24" any tunnel vpn "site A VPN" pair-policy 1
    save
Modification History:
2019-06-15: Updated CLI command section - creating an IKE Gateway and VPN
Related Links: