Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How do I create a LAN to LAN VPN using preshared secrets to a site with a Dynamically assigned IP address?

0

0

Article ID: KB6332 KB Last Updated: 11 Aug 2010Version: 6.0
Summary:
Policy-based VPN - One Side has a Dynamic IP using Pre-shared Keys
Symptoms:
Environment:
  • Preshared secrets
  • Policy Based VPN
  • Static IP Addresses on' one one gateway
  • Dynamically assigned IP address on one gateway
Solution:


This example assumes static IP address is assigned to site A, and site B gets its IP address dynamically via DHCP. Assume the preshared secret used is netscreen. The matrix below will show the proposals we will use for this example:

Site A B
Untrust IP of Firewall 1.1.1.1 DHCP (local id siteb.netscreen.com)
Trust Network 10.1.1.0/24 172.16.10.0/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha

Site A:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site B GW
    2. Security Level: Custom
    3. Remote Gateway: Click Dynamic IP Address, and enter peer id siteb.netscreen.com
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Aggressive
      3. Click Return
    7. Click OK
  3. Click Autokey IKE
  4. Click New
    1. VPN Name: Site B VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
    5. Click OK
  5. Click Policy
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site B VPN
    6. Modify matching bidirectional VPN policy: Enabled
    7. Click Ok
    8. Position at Top: Enabled

Site B:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: Site A GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    4. Preshared Key: netscreen
    5. Local ID: siteb.netscreen.com
    6. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    7. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Aggressive
      3. Click Return
    8. Click OK
  3. Click Autokey IKE
  4. Click New
    1. VPN Name: Site A VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Click Return
    5. Click OK
  5. Click Policy
  6. Select From Trust to Untrust Zone, and click New
    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Tunnel
    5. Tunnel: Site A VPN
    6. Modify matching bidirectional VPN policy: Enabled
    7. Click Ok
    8. Position at Top: Enabled

NOTE:
The VPN tunnel must be initiated from a host behind the gateway with the dynamically assigned IP address. This requires sending any traffic from a host behind the Juniper firewall that has its IP address assigned dynamically. Otherwise, the VPN tunnel will not be built.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search