Knowledge Search


×
 

How to: Create a LAN to LAN VPN using the Juniper Firewall as an XAuth Client

  [KB6699] Show Article Properties


Summary:
How to: Create a LAN to LAN VPN using the Juniper Firewall as an XAuth Client
Symptoms:
Environment:
  • XAuth client
  • LAN to LAN VPN
  • Untrust IP obtained via DHCP
Solution:

Site

A

B

Untrust IP of Firewall

Dynamic IP

172.16.20.1

Trust Network

192.168.10.0/24

192.168.20.0/24

Local ID

ns5xt.netscreen.com

N/A

Peer ID

ns5xt.netscreen.com

Preshared Key

support

support

Phase 1 Proposal

pre-g2-3des-sha

pre-g2-3des-sha

Phase 2 Proposal

g2-esp-3des-sha

g2-esp-3des-sha

Building a VPN using a Juniper Firewall as an XAuth client requires you to create an XAuth user account on the remote gateway, or have the remote gateway look up a radius server, for purposes of authenticating the XAuth user during phase 1 IKE negotiation.  In this example, we will create an XAuth user account on Juniper Firewall-B.

Configuration of Juniper Firewall-B:

Create the XAuth User on Juniper Firewall-B:

  1. Click Objects > Users > Local
  2. Click New
    1. User Name: XAuth
    2. Click XAuth User
    3. User Password:netscreen
    4. Confirm Password:netscreen
  3. Click OK

Phase 1 on Juniper Firewall-B:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: XAuth GW
    2. Remote Gateway Type
      1. Click Dynamic IP Address
      2. Peer ID: ns5xt.netscreen.com
    3. Preshared Key: support
    4. Click Advanced
      1. Security Level: User Defined
      2. Phase 1 Proposal: pre-g2-3des-sha
      3. Mode (Initiator): Aggressive
      4. Click XAuth Server
      5. Click Return
    5. Click OK

Phase 2 on Juniper Firewall-B:

  1. Click VPNs > Auto Key IKE
  2. Click New
    1. VPN Name: XAuth VPN
    2. Remote Gateway
      1. Predefined
      2. XAuth GW
    3. Click Advanced
      1. Security Level: User Defined
      2. g2-esp-3des-sha
      3. Click Return
    4. Click OK

VPN Policy on Juniper Firewall-B;

  1. Click Policies
  2. Select From Trust to Untrust Zone and click New
    1. Source Address:
      1. Click New Address: 192.168.20.0 / 24
    2. Destination Address:
      1. Click New Address: 192.168.10.0 / 24
    3. Service: ANY
    4. Action: Tunnel
    5. Tunnel VPN: XAuth VPN
    6. Click Modify matching bidirectional VPN policy
    7. Click Position at Top
    8. Click OK

Configuration of Juniper Firewall-A:

Phase 1 on Juniper Firewall-A:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: XAuth GW B
    2. Remote Gateway Type:
      1. Click Static IP Address
      2. 172.16.20.1
    3. Preshared Key: support
    4. Local ID: ns5xt.netscreen.com
    5. Click Advanced
      1. Security Level: User Defined
      2. Phase 1 Proposal: pre-g2-3des-sha
      3. Mode (Initiator): Aggressive
      4. Click XAuth Client
        1. Username: XAuth
        2. Password: netscreen
      5. Click Return
    6. Click OK

Phase 2 on Juniper Firewall-A:

  1. Click VPNs > Auto Key IKE
  2. Click New
    1. VPN Name: XAuth VPN B
    2. Remote Gateway
      1. Predefined
      2. XAuth GW B
    3. Click Advanced
      1. Security Level: User Defined
      2. g2-esp-3des-sha
      3. Click Return
    4. Click OK

VPN Policy on Juniper Firewall-A:

  1. Click Policies
  2. Select From Trust to Untrust Zone and click New
    1. Source Address:
      1. Click New Address: 192.168.10.0 / 24
    2. Destination Address:
      1. Click New Address: 192.168.20.0 / 24
    3. Service: ANY
    4. Action: Tunnel
    5. Tunnel VPN: XAuth VPN B
    6. Click Modify matching bidirectional VPN policy
    7. Click Position at Top
    8. Click OK

The VPN tunnel has to be initiated from Juniper Firewall-A, the XAuth client.  Behind the scenes, Juniper Firewall-A will be challenged for an XAuth login/password, and Juniper Firewall-A will send the XAuth credentials as defined in Phase 1.

.

Related Links: