Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure the NetScreen-Remote VPN client and Juniper firewall for the pre-shared key

0

0

Article ID: KB5746 KB Last Updated: 31 Jan 2013Version: 6.0
Summary:
This article provides information on how to configure the NetScreen-Remote VPN client and Juniper firewall for the pre-shared key.
Symptoms:
Environment:

  • Pre-shared secret

  • VPN client

Symptoms and errors:

A choice to enter the pre-shared secret, after clicking My Identity, is not available
Cause:

Solution:
Basic procedure:

  1. Create a Dial Up VPN User.  If a Dial Up VPN Group is desired, add the Dial Up VPN User to that group

  2. Create an IKE Gateway (P1), and specify a Preshared Secret to be used by everyone in that group

  3. Create the VPN (P2), specifying the IKE Gateway that was defined in step 2.

  4. Create the VPN Policy, using the tunnel as specified in step 3.


Example: 
Assume that a remote user needs to VPN into the corporate network. The network topology is as follows:


Assume that the Remote user is given an IKE ID with the email address as remote@acme.com. The untrust gateway of the NetScreen device (which is the security gateway that NetScreen-Remote will talk to) is 1.1.1.1. The destination is the 172.16.10.0/24 (or 172.16.10.0 255.255.255.0) internal network.

The following example illustrates how to configure the VPN:

Configure Address Book Entry for the Internal Network:

Policy > Policy Elements > Addresses > Configuration

  1. Click Address
  2. Click Trust tab
  3. Click New Address
    1. Name: Internal Net
    2. IP Address: 172.16.10.0
    3. Netmask: 255.255.255.0
    4. Click OK.

Create the Dial Up VPN User

Objects > Users > Local > Edit

  1. Click Users
  2. Click New IKE/L2TP Users/Group
    1. Name:  Remote User
    2. Click Enable
    3. Select IKE User
    4. IKE Identity: remote@acme.com

Create the Phase 1 Proposals:

VPNs > AutoKey Advanced > Gateway > Edit

  1. Click the VPN Button
  2. Click IKE Gateway tab
  3. Click New Remote Gateway
    1. Name: Remote GW
    2. Click Dial Up User
    3. User Group: Remote User
    4. Click on Advanced option
    5. Click Aggressive mode
    6. Phase 1 Proposal: pre-g2-3des-md5
    7. Preshared Key: NetScreen
    8. Click OK.

Create the Phase 2 Proposals:

VPNs > AutoKey IKE > Edit

  1. Name: Remote VPN
  2. Gateway: Select Remote GW
  3. Click on Advanced option
  4. Phase 2 Proposal: nopfs-esp-3des-md5
  5. Replay Protection: Leave disabled
  6. VPN Monitor: Leave disabled
  7. Click OK

Configure the Policy for the Dial Up VPN

Policy > Policies (From Untrust To Trust)

  1. Click Policy button
  2. Click the Incoming tab
  3. Click New Policy
    1. Source Address: Dial-Up VPN
    2. Destination Address: Internal Net
    3. Service: Any
    4. VPN Tunnel: Remote VPN
    5. Click OK

CLI commands for the above configuration:

set user "Remote User" ike-id u-fqdn "remote@acme.com" share-limit 1
set user "User1" type ike
set user "User1" "enable"
set ike gateway "Remote GW" dialup "Remote User" Aggressive outgoing-interface "ethernet0/0" preshare netscreen proposal "pre-g2-3des-md5"
set ike gateway "Remote GW" nat-traversal keepalive-frequency 5
set vpn "Remote VPN" gateway "Remote GW" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set address "Trust" "Internal Net" 172.16.10.0 255.255.255.0
set policy from "Untrust" to "Trust" "Dial-Up VPN" "Internal Net" "ANY" tunnel vpn "Remote VPN"

NetScreen Remote Configuration

To set up the NetScreen-Remote VPN Client or NetScreen-Remote Security client, refer to KB7733 - NetScreen-Remote (NSR) Getting Started Guide.
  1. Start the Netscree-Remote Security Policy Editor & Create a New Connection
  2. ID Type: IP Subnet
    1. Subnet: 172.16.10.0
    2. Mask: 255.255.255.0
  3. Click Connect using Secure Gateway Tunnel
    1. ID Type: IP address, 1.1.1.1:

  4. Expand the New Connection
  5. Click Security Policy
    1. Under Select Phase 1 Negotiation Mode, select Aggressive Mode.
    2. De-select Replay Protection

  6. Expand Security Policy
  7. Expand Authentication (Phase 1)
  8. Click Proposal 1
    1. Authentication Method: Pre-Shared Key
    2. Encrypt Alg: Triple DES
    3. Hash Alg: MD5
    4. Key Group: Diffie-Helman Group 2

  9. Expand Key Exchange (Phase 2)
  10. Click Proposal 1
    1. Encrypt Alg: Triple DES
    2. Hash Alg: MD5

  11. Click My Identity
    1. Click Preshared Key
      1. Click Enter Key
      2. Enter the Preshared Key NetScreen
      3. Click OK
    2. Select Certificate: None
    3. ID Type: Email Address
    4. Enter the email address remote@acme.com in the field below ID Type

  12. Save the security policy by clicking the floppy disk icon

 The following articles will be useful, when troubleshooting a Dial-up VPN:

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search