Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How To: Create Multiple Dial Up VPN using same IKE ID (ScreenOS 5.x)

0

0

Article ID: KB6623 KB Last Updated: 15 Mar 2012Version: 6.0
Summary:
How To: Create Multiple Dial Up VPN using same IKE ID
 
For ScreenOS 6.0 and later examples, refer to KB8535 - Configuring a NetScreen-Remote Dial-Up VPN.

Symptoms:
Environment:
  • Shared IKE ID
  • Deploy large number of remote clients
Solution:

Note:  This example applies to ScreenOS 5.x.  For ScreenOS 6.0 and later examples, refer to KB8535 - Configuring a NetScreen-Remote Dial-Up VPN.


"Shared IKE ID".  This ScreenOS feature allows you to deploy and manage a large-scale distribution of NetScreen-Remote (NSR) VPN Clients, with minimal configuration on both the Firewall and the NetScreen-Remote client.  Administrators can deploy a single IKE tunnel ID for the NSR Clients and require each user to Authenticate with an individual ID. This saves administration work by:

  1. Providing IPSec protection with a common VPN tunnel configuration and
  2. Should an employee leave the company, the administrator is no longer required to re-deploy a new group user-id.

Example:  Assume two users, Mike and Joe, are trying to access a server on the trusted side of the Juniper Firewall. The Administrator wants to deploy a single VPN Dial-up User configuration and have each user authenticated individually.

 

 

 NetScreen-RemoteNetScreen
Shared IKE User Remote_Sales
Shared IKE IDsales@ns.comsales@ns.com
User Group R_S
XAuth User 1/ PasswordJoe/netscreen 
XAuth User 2 / PasswordMike/support 
Phase 1 ProposalsPreshared Secret;Extended Authentication
Triple DES; SHA; Diffie-Hellman Group 2
pre-g2-3des-sha
Phase 2 ProposalsTriple DES; SHA-1nopfs-esp-3des-sha

 

The basic steps in deploying this configuration is as follows:

Juniper Firewall Side:

  1. Define an IKE ID User (Without xauth authentication)
  2. Assign the IKE ID User from step 1 to a new Dial Up User Group
  3. Define separate XAuth Users (with no IKE ID configuration)
  4. Define IKE Phase 1 Gateway, and DO NOT SELECT "Use as Seed"
  5. Define IKE Phase 2 VPN as usual
  6. Define Dial Up VPN policy as usual

NetScreen-Remote VPN Client Side:

  1. Enter Remote Party Identity and Address, and Secure Gateway Tunnel as normal
  2. Under My Identity, select ID type email address, and enter the IKE ID from step 2 on the NetScreen Side procedure
  3. Click Pre-Shared Key, and enter the preshared key defined from step 4 on the NetScreen Side procedure
  4. Configure Phase 1 for Xauth and Phase 2 to match the configuration on the NetScreen side

WebUI Configuration of Firewall Side:

  1. Click Objects > Users > Local
    1. Click New
      1. Username: Remote_Sales
      2. Enable IKE User (Do not select XAuth User)
      3. Number of Multiple Logins with Same ID: 250 (Choose whatever number of simultaneous users you want logging in under this IKE ID. 
      4. Click Simple Identity
      5. IKE Identity: sales@ns.com
        • Note: IKE ID must be an e-mail address
      6. Click OK
    2. Click New
      1. Username: Joe
      2. Click XAuth User (Do not select IKE User)
      3. User Password: netscreen
      4. Confirm Password: netscreen
      5. Click OK
    3. Click New
      1. Username: Mike
      2. Click XAuth User (Do not select IKE User)
      3. User Password: support
      4. Confirm Password: support
      5. Click OK
  2. Click Objects > User Groups > Local
    1. Click New
      1. Group Name: R_S
      2. Under Available Members, select Remote_Sales, and click << directional button
      3. Click OK
  3. Click VPNs > AutoKey Advanced > Gateway
    1. Click New
      1. Gateway Name: Sales
      2. Click Dialup User Group, and select R_S from the Group pulldown menu
      3. Preshared Key: sharedikeid (Do not enable "Use as Seed"; parameter to be used when configuring Group IKE ID with Global Pro/Express)
      4. Outgoing Interface: ethernet3 (Choose whatever is your outgoing interface to the Internet)
      5. Click Advanced Button
        1. Security Level: Select Custom, and select Phase 1 Proposal pre-g2-3des-sha
        2. Mode (Initiator): Aggressive
        3. Click Enable XAuth
        4. Click Return
      6. Click OK
  4. Click VPNs > AutoKey IKE
    1. Click New
      1. VPN Name: Sales VPN
      2. Remote Gateway: Click Predefined, and select Sales from the pulldown menu
      3. Click Advanced
        1. Security Level: Select Custom, and select Phase 2 Proposal nopfs-esp-3des-sha
        2. Click Return
      4. Click OK
  5. Click Policies
    1. Select From Untrust to Trust zone, and click New
      1. Source Address:Click Address Book, and select Dial-Up VPN
      2. Destination Address: Click New Address, and enter 172.16.10.0/24
      3. Service: ANY
      4. Action: Tunnel
      5. Tunnel VPN: Sales_VPN
      6. Click OK

NetScreen-Remote Side:

  1. Create New Policy by clicking the New Connection icon on upper left corner.  Label this new connection Corporate
  2. On Remote Party Identity and Addressing
    1. ID Type: IP Subnet
    2. Subnet: 172.16.10.0
    3. Netmask: 255.255.255.0
    4. Click Connect using Secure Gateway Tunnel
    5. ID Type: IP Address: 1.1.1.1
  3. Expand the connection Corporate
    1. Click Security Policy
      1. Select Phase 1 Negotiation Mode: Aggressive
      2. De-Select Enable Perfect Forward Secrecy (PFS)
      3. De-select "Enable Replay Detection"
    2. Click My Identity
      1. Select Certificate: None
      2. ID Type: Email address: sales@ns.com
      3. Click Pre-Shared Key
        1. Click Enter Key
          1. Enter the Pre-shared key sharedikeid
          2. Click OK
    3. Expand Security Policy
      1. Expand Authentication (Phase 1)
        1. Select Proposal  1
          1. Authentication Method: Pre-Shared Key;Extended Authentication
          2. Encryption Alg: Triple DES
          3. Hash Alg: SHA
          4. SA Life: Unspecified
          5. Key Group: Diffie-Hellman Group 2
      2. Expand Key Exchange (Phase 2)
        1. Select Proposal 1
          1. Encrypt Alg. Triple DES
          2. Hash Alg. SHA
          3. Encapsulation: Tunnel
    4. Click Save

How this works:

During Phase 1 negotiations, the Firewall device first authenticates the VPN client by matching the VPN Tunnel IKE ID and preshared key sent from the client with that configured on the Firewall device. If there is a match, then the Firewall device will use XAuth to authenticate the individual user. A login prompt is sent from the Firewall to the user at the remote site. This occurs between Phase 1 and Phase 2 IKE negotiations. If the remote user successfully logs on with the correct user name and password, Phase 2 negotiations begin.

Now, an administrator can export this same SPD file to all remote users.  Every user will import the same spd file into the NetScreen-Remote VPN Client.  When trying to build a tunnel, they will be required to enter their own XAuth Username and Password.  In this example, when Joe hooks up to the VPN, he will be prompted for a login.  He will enter Joe/netscreen.  When Mike wants to hook up to the VPN, he will be prompted for a login, and he will enter Mike/support.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search