Knowledge Search


×
 

How do I create a Route Based LAN to LAN VPN using preshared secrets (ScreenOS 5.x)

  [KB6334] Show Article Properties


Summary:
How do I create a Route Based LAN to LAN VPN using preshared secrets on ScreenOS 5.x.  For instructions using ScreenOS 6.x, refer to KB14330.
Symptoms:
Environment:
  • Preshared secrets
  • Route Based VPN
  • Static IP Addresses on both gateways of VPN

Note: This article replaces KB4177. KB4177 and its child articles are obsolete.


Cause:

Solution:

This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel.    Assume the preshared secret used is netscreen. The matrix below displays  the proposals we will use for this example:

Site A B
Untrust IP of Firewall 1.1.1.1 2.2.2.1
Trust Network 10.1.1.0/24 172.16.10.0/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha

Site A:

  1. Create tunnel interface:
    Click Network > Interfaces
    1. Click New
      1. Interface Name: tunnel.1
      2. Zone: Untrust (trust-vr)
      3. Click unnumbered
      4. Interface Untrust (trust-vr)
      5. Click OK
  2. Click VPNs > AutoKey Advanced > Gateway
  3. Click New
    1. Gateway Name: Site B GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 2.2.2.1
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Main
      3. Click Return
    7. Click OK

  4. Click Autokey IKE
  5. Click New
    1. VPN Name: Site B VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Bind To: Tunnel Interface. Select tunnel.1
      3. Click Proxy ID
        1. Local IP/Netmask: 10.1.1.0 / 24
        2. Remote IP/Netmask: 172.16.10.0 /24
        3. Service: ANY
      4. Click Return
    5. Click OK

  6. Click Policy
  7. Select From Trust to Untrust Zone, and click New

    Note:If you want VPN traffic initiated by clients in the Trust zone to be allowed (permitted), create this policy. If you want VPN traffic initiated by clients in the Untrust zone to be allowed (permitted) too, check 'Modify matching bidirectional VPN policy'.

    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Permit
    5. Modify matching bidirectional VPN policy: Enabled
    6. Click Ok
    7. Position at Top: Enabled

  8. Create static route for destination network through VPN:
    Click Network > Routing > (5.2 and below) Routing Table, (5.3 and above) Destination
    1. Click New
      1. Network Address / Netmask: 172.16.10.0 / 255.255.255.0
      2. Click Gateway
      3. Interface: tunnel.1
      4. Click OK

Site B:

  1. Create tunnel interface:
    Click Network > Interfaces
    1. Click New
      1. Interface Name: tunnel.1
      2. Zone: Untrust (trust-vr)
      3. Click unnumbered
      4. Interface Untrust (trust-vr)
      5. Click OK

  2. Click VPNs > AutoKey Advanced > Gateway
  3. Click New
    1. Gateway Name: Site A GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Main
      3. Click Return
    7. Click OK

  4. Click Autokey IKE
  5. Click New
    1. VPN Name: Site A VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Bind To: Tunnel Interface. Select tunnel.2
      3. Click Proxy ID
        1. Local IP/Netmask: 172.16.10.0 / 24
        2. Remote IP/Netmask: 10.1.1.0 /24
        3. Service: ANY
      4. Click Return
    5. Click OK

  6. Click Policy
  7. Select From Trust to Untrust Zone, and click New

    Note:If you want VPN traffic initiated by clients in the Trust zone to be allowed (permitted), create this policy. If you want VPN traffic initiated by clients in the Untrust zone to be allowed (permitted) too, check 'Modify matching bidirectional VPN policy'.

    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Permit
    5. Modify matching bidirectional VPN policy: Enabled
    6. Click Ok
    7. Position at Top: Enabled

  8. Click Network > Routing > (5.2 and below) Routing Table, (5.3 and above) Destination
    1. Click New
      1. Network Address / Netmask: 10.1.1.0 / 255.255.255.0
      2. Click Gateway
      3. Interface: tunnel.2
      4. Click OK


NOTE:
If the tunnel interface is bound to the trust zone (i.e. you specified the Zone Trust in Step 1.1.2), no policies are needed, since everything is routed. The VPN communication is effectively a trust to trust policy.
On 1/31/2012, the example in this article was modified by putting the tunnel interfaces in the Untrust zone (instead of the Trust zone), so a policy is required.

Related Links: