Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to: Create a LAN to LAN VPN using the Juniper Firewall as an XAuth Client

0

0

Article ID: KB6699 KB Last Updated: 11 Aug 2010Version: 5.0
Summary:
How to: Create a LAN to LAN VPN using the Juniper Firewall as an XAuth Client
Symptoms:
Environment:
  • XAuth client
  • LAN to LAN VPN
  • Untrust IP obtained via DHCP
Solution:

Site

A

B

Untrust IP of Firewall

Dynamic IP

172.16.20.1

Trust Network

192.168.10.0/24

192.168.20.0/24

Local ID

ns5xt.netscreen.com

N/A

Peer ID

ns5xt.netscreen.com

Preshared Key

support

support

Phase 1 Proposal

pre-g2-3des-sha

pre-g2-3des-sha

Phase 2 Proposal

g2-esp-3des-sha

g2-esp-3des-sha

Building a VPN using a Juniper Firewall as an XAuth client requires you to create an XAuth user account on the remote gateway, or have the remote gateway look up a radius server, for purposes of authenticating the XAuth user during phase 1 IKE negotiation.  In this example, we will create an XAuth user account on Juniper Firewall-B.

Configuration of Juniper Firewall-B:

Create the XAuth User on Juniper Firewall-B:

  1. Click Objects > Users > Local
  2. Click New
    1. User Name: XAuth
    2. Click XAuth User
    3. User Password:netscreen
    4. Confirm Password:netscreen
  3. Click OK

Phase 1 on Juniper Firewall-B:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: XAuth GW
    2. Remote Gateway Type
      1. Click Dynamic IP Address
      2. Peer ID: ns5xt.netscreen.com
    3. Preshared Key: support
    4. Click Advanced
      1. Security Level: User Defined
      2. Phase 1 Proposal: pre-g2-3des-sha
      3. Mode (Initiator): Aggressive
      4. Click XAuth Server
      5. Click Return
    5. Click OK

Phase 2 on Juniper Firewall-B:

  1. Click VPNs > Auto Key IKE
  2. Click New
    1. VPN Name: XAuth VPN
    2. Remote Gateway
      1. Predefined
      2. XAuth GW
    3. Click Advanced
      1. Security Level: User Defined
      2. g2-esp-3des-sha
      3. Click Return
    4. Click OK

VPN Policy on Juniper Firewall-B;

  1. Click Policies
  2. Select From Trust to Untrust Zone and click New
    1. Source Address:
      1. Click New Address: 192.168.20.0 / 24
    2. Destination Address:
      1. Click New Address: 192.168.10.0 / 24
    3. Service: ANY
    4. Action: Tunnel
    5. Tunnel VPN: XAuth VPN
    6. Click Modify matching bidirectional VPN policy
    7. Click Position at Top
    8. Click OK

Configuration of Juniper Firewall-A:

Phase 1 on Juniper Firewall-A:

  1. Click VPNs > AutoKey Advanced > Gateway
  2. Click New
    1. Gateway Name: XAuth GW B
    2. Remote Gateway Type:
      1. Click Static IP Address
      2. 172.16.20.1
    3. Preshared Key: support
    4. Local ID: ns5xt.netscreen.com
    5. Click Advanced
      1. Security Level: User Defined
      2. Phase 1 Proposal: pre-g2-3des-sha
      3. Mode (Initiator): Aggressive
      4. Click XAuth Client
        1. Username: XAuth
        2. Password: netscreen
      5. Click Return
    6. Click OK

Phase 2 on Juniper Firewall-A:

  1. Click VPNs > Auto Key IKE
  2. Click New
    1. VPN Name: XAuth VPN B
    2. Remote Gateway
      1. Predefined
      2. XAuth GW B
    3. Click Advanced
      1. Security Level: User Defined
      2. g2-esp-3des-sha
      3. Click Return
    4. Click OK

VPN Policy on Juniper Firewall-A:

  1. Click Policies
  2. Select From Trust to Untrust Zone and click New
    1. Source Address:
      1. Click New Address: 192.168.10.0 / 24
    2. Destination Address:
      1. Click New Address: 192.168.20.0 / 24
    3. Service: ANY
    4. Action: Tunnel
    5. Tunnel VPN: XAuth VPN B
    6. Click Modify matching bidirectional VPN policy
    7. Click Position at Top
    8. Click OK

The VPN tunnel has to be initiated from Juniper Firewall-A, the XAuth client.  Behind the scenes, Juniper Firewall-A will be challenged for an XAuth login/password, and Juniper Firewall-A will send the XAuth credentials as defined in Phase 1.

.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search