Knowledge Search


×
 

How do I create a Route Based LAN to LAN VPN using preshared secrets to remote site with dynamically assigned IP address (ScreenOS 5.x)

  [KB6335] Show Article Properties


Summary:
How do I create a Route Based LAN to LAN VPN using preshared secrets to remote site with dynamically assigned IP address on ScreenOS 5.x. For instructions using ScreenOS 6.x, refer to KB15075.
Symptoms:
Environment:
  • Preshared secrets
  • Route Based VPN
  • Static IP address on one gateway
  • Dynamic IP address on one site

Note: This article replaces KB4768. KB4768 and its child articles are obsolete.

Cause:

Solution:

This example assumes static IP address assigned at one site, and a dynamic IP address assigned to the other. Assume the preshared secret used is netscreen. The matrix below will show the proposals we will use for this example:

Site A B
Untrust IP of Firewall 1.1.1.1 DHCP (local id siteb.netscreen.com)
Trust Network 10.1.1.0/24 172.16.10.0/24
Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha
Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha


Site A (Static):

  1. Create tunnel interface:
    Click Network > Interfaces
    1. Click New
      1. Interface Name: tunnel.1
      2. Zone: Untrust (trust-vr)
      3. Click unnumbered
      4. Interface Untrust (trust-vr)
      5. Click OK

  2. Click VPNs > AutoKey Advanced > Gateway
  3. Click New
    1. Gateway Name: Site B GW
    2. Security Level: Custom
    3. Remote Gateway: Click Dynamic IP Address, and enter Peer ID siteb.netscreen.com
    4. Preshared Key: netscreen
    5. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    6. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Aggressive
      3. Click Return
    7. Click OK

  4. Click Autokey IKE
  5. Click New
    1. VPN Name: Site B VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Bind To: Tunnel Interface. Select tunnel.1
      3. Click Proxy ID
        1. Local IP/Netmask: 10.1.1.0 / 24
        2. Remote IP/Netmask: 172.16.10.0 /24
        3. Service: ANY
      4. Click Return
    5. Click OK

  6. Click Policy
  7. Select From Trust to Untrust Zone, and click New

    Note:If you want VPN traffic initiated by clients in the Trust zone to be allowed (permitted), create this policy.
    If you want VPN traffic initiated by clients in the Untrust zone to be allowed (permitted) too, check 'Modify matching bidirectional VPN policy'.

    1. Source Address: Click New Address, and enter 10.1.1.0/24
    2. Destination Address: Click New Address, and enter 172.16.10.0/24
    3. Service: Any
    4. Action: Permit
    5. Modify matching bidirectional VPN policy: Enabled
    6. Position at Top: Enabled
    7. Click Ok

  8. Create static route for destination network through VPN:
    Click Network > Routing > (5.2 and below) Routing Table, (5.3 and above) Destination
    1. Click New
      1. Network Address / Netmask: 172.16.10.0 / 255.255.255.0
      2. Click Gateway
      3. Interface: tunnel.1
      4. Click OK

Site B:

  1. Create tunnel interface:
    Click Network > Interfaces
    1. Click New
      1. Interface Name: tunnel.1
      2. Zone: Untrust (trust-vr)
      3. Click unnumbered
      4. Interface Untrust (trust-vr)
      5. Click OK

  2. Click VPNs > AutoKey Advanced > Gateway
  3. Click New
    1. Gateway Name: Site A GW
    2. Security Level: Custom
    3. Remote Gateway: Click Static, and enter IP address 1.1.1.1
    4. Preshared Key: netscreen
    5. Local ID: siteb.netscreen.com
    6. Outgoing Interface: untrust (or whichever interface goes out to the Internet)
    7. Click Advanced
      1. Phase 1 Proposal: pre-g2-3des-sha
      2. Mode (Initiator): Aggressive
      3. Click Return
    8. Click OK

  4. Click Autokey IKE
  5. Click New
    1. VPN Name: Site A VPN
    2. Security Level: Custom
    3. Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
    4. Click Advanced
      1. Phase 2 Proposal: g2-esp-3des-sha
      2. Bind To: Tunnel Interface. Select tunnel.2
      3. Click Proxy ID
        1. Local IP/Netmask: 172.16.10.0 / 24
        2. Remote IP/Netmask: 10.1.1.0 /24
        3. Service: ANY
      4. Click Return
    5. Click OK

  6. Click Policy
  7. Select From Trust to Untrust Zone, and click New

    Note:If you want VPN traffic initiated by clients in the Trust zone to be allowed (permitted), create this policy.
    If you want VPN traffic initiated by clients in the Untrust zone to be allowed (permitted) too, check 'Modify matching bidirectional VPN policy'.

    1. Source Address: Click New Address, and enter 172.16.10.0/24
    2. Destination Address: Click New Address, and enter 10.1.1.0/24
    3. Service: Any
    4. Action: Permit
    5. Modify matching bidirectional VPN policy: Enabled
    6. Position at Top: Enabled
    7. Click Ok

  8. Click Network > Routing > (5.2 and below) Routing Table, (5.3 and above) Destination
    1. Click New
      1. Network Address / Netmask: 10.1.1.0 / 255.255.255.0
      2. Click Gateway
      3. Interface: tunnel.2
      4. Click OK

NOTE:

If the tunnel interface is bound to the trust zone (i.e. you specified the Zone Trust in Step 1.1.2), no policies are needed, since everything is routed. The VPN communication is effectively a trust to trust policy.
On 1/31/2012, the example in this article was modified by putting the tunnel interfaces in the Untrust zone (instead of the Trust zone), so a policy is required.

Related Links: