Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How do I create a Policy Based LAN to LAN VPN using Preshared Keys

0

0
Article ID: KB6210 KB Last Updated: 15 Feb 2013Version: 6.0 Summary:
Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys
Symptoms:
Environment:
  • Preshared secrets
  • Policy Based VPN
  • Static IP Addresses on both gateways of VPN
Cause:

Solution:

This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel.  Assume the preshared secret used is netscreen.  The matrix below will show the proposals we will use for this example:

network drawing
Site A B
Untrust IP of Firewall 1.1.1.1 2.2.2.1
Trust Network 10.1.1.0/24 172.16.10.0/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha

Site A:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site B GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 2.2.2.1
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Main
      3. Click Return
    7. Click OK
  3. Click Autokey IKE
  4. Click New
    1. VPN Name: Site B VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
    5. Click OK
  5. Click Policy
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site B VPN
    6. Modify matching bidirectional VPN policy: Enabled
    7. Click Ok
    8. Position at Top: Enabled

Site B:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site A GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Main
      3. Click Return
    7. Click OK
  3. Click Autokey IKE
  4. Click New
    1. VPN Name: Site A VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
    5. Click OK
  5. Click Policy
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site A VPN
    6. Modify matching bidirectional VPN policy: Enabled
    7. Click Ok
    8. Position at Top: Enabled

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search