Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] Encrypt All Traffic from Wireless Laptop using NetScreen-Remote

0

0

Article ID: KB5740 KB Last Updated: 20 Aug 2010Version: 3.0
Summary:
Encrypt All Traffic from Wireless Laptop using NetScreen-Remote
Symptoms:
Protecting Wireless LAN from external eavesdroppers Wireless Network Interface Card, NIC IEEE 802.11b
Solution:

To protect the internal network with Wireless LAN traffic, ScreenOS 3.1 or higher and NetScreen-Remote on each Wireless laptop is required.  Basically, all traffic from the wireless NIC needs to be encrypted.

Minimum Requirement: NetScreen device must be in route mode, and a policy based NAT must be used.

Basic Steps:  Trust zone interface must be in route mode.  Create a tunnel interface, with the outgoing interface as the trust interface.  Then, create the VPN tunnel, where the local proxy id is 0.0.0.0/0, and the remote proxy id is the IP address of the wireless laptop.  Finally, create a ANY-> ANY ANY permit policy, using policy-based NAT.

WebUI:

  1. Click Interface, and click Edit next to Ethernet1 (assuming the Wireless laptop resides off of Ethernet1)
  2. Next to Interface Mode, click Route



    Click OK.
  3. Click Interface, and click New
  4. Create a tunnel interface bound to the trust zone

  5. Click VPNs > AutoKey Advanced > Gateway, and click New.

  6. Click VPNs > AutoKey and click New
  7. Click Advanced.  The remote proxy id is the IP address of the wireless laptop.  In this example, 10.251.7.53.
  8. Create the Trust -> Untrust policy, with Laptop -> Any Permit, and select policy based NAT.
  9. On NetScreen-Remote, click the Options menu and select Secure>All Connections.
  10. Click Connect using Secure Gateway Tunnel. Enter the IP address 10.251.7.49 (trust interface IP address)

  11. Click My Identity
    1. On the Certificate pulldown menu, select None
    2. ID Type: IP Address
    3. Click Preshare Key.
      1. Click Enter.
      2. Enter the preshare key netscreen


    4. Click Security Policy
    5. De-select Enable Replay Protection


    6. Expand the Security Policy.
    7. Expand Authentication Phase 1. Click Proposal 1
      1. Encrypt Alg: Triple DES
      2. Hash Alg: SHA-1
      3. SA Life: Unspecified
      4. Key Group: Diffie-Helman Group 2


    8. Expand Authentication Phase 2. Click Proposal 1
      1. SA Life: Unspecified
      2. Compression: None
      3. Encapsulation Protocol: Leave enabled
      4. Encrypt Alg: Triple DES
      5. Hash Alg: SHA-1
      6. Encapsulation: Tunnel

Here is the problem or goal:

  • Encrypt All Traffic from Wireless Laptop using NetScreen-Remote

Problem Environment:

  • Protecting Wireless LAN from external eavesdroppers
  • Wireless Network Interface Card, NIC
  • IEEE 802.11b

Applicable Products:

  • NetScreen-5XP
  • NetScreen-5XT
  • NetScreen-25
  • NetScreen-50
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500

Applicable ScreenOS:

  • 3.1.0
  • 4.0.0
  • 4.0.0-DIAL
  • 4.0.0-DIAL2
  • 4.0.1
  • 4.0.2
  • 4.0.3


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search